diff --git a/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts b/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts index 0d098588f6b26..d78cfaf2494b0 100644 --- a/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts +++ b/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts @@ -246,6 +246,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1134', tactics: ['defense-evasion', 'privilege-escalation'], }, + { + name: 'Accessibility Features', + id: 'T1015', + reference: 'https://attack.mitre.org/techniques/T1015', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Account Access Removal', id: 'T1531', @@ -282,12 +288,48 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1557', tactics: ['credential-access', 'collection'], }, + { + name: 'AppCert DLLs', + id: 'T1182', + reference: 'https://attack.mitre.org/techniques/T1182', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'AppInit DLLs', + id: 'T1103', + reference: 'https://attack.mitre.org/techniques/T1103', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'AppleScript', + id: 'T1155', + reference: 'https://attack.mitre.org/techniques/T1155', + tactics: ['execution'], + }, + { + name: 'Application Access Token', + id: 'T1527', + reference: 'https://attack.mitre.org/techniques/T1527', + tactics: ['defense-evasion', 'lateral-movement'], + }, + { + name: 'Application Deployment Software', + id: 'T1017', + reference: 'https://attack.mitre.org/techniques/T1017', + tactics: ['lateral-movement'], + }, { name: 'Application Layer Protocol', id: 'T1071', reference: 'https://attack.mitre.org/techniques/T1071', tactics: ['command-and-control'], }, + { + name: 'Application Shimming', + id: 'T1138', + reference: 'https://attack.mitre.org/techniques/T1138', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Application Window Discovery', id: 'T1010', @@ -306,6 +348,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1123', tactics: ['collection'], }, + { + name: 'Authentication Package', + id: 'T1131', + reference: 'https://attack.mitre.org/techniques/T1131', + tactics: ['persistence'], + }, { name: 'Automated Collection', id: 'T1119', @@ -324,6 +372,18 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1197', tactics: ['defense-evasion', 'persistence'], }, + { + name: 'Bash History', + id: 'T1139', + reference: 'https://attack.mitre.org/techniques/T1139', + tactics: ['credential-access'], + }, + { + name: 'Binary Padding', + id: 'T1009', + reference: 'https://attack.mitre.org/techniques/T1009', + tactics: ['defense-evasion'], + }, { name: 'Boot or Logon Autostart Execution', id: 'T1547', @@ -336,6 +396,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1037', tactics: ['persistence', 'privilege-escalation'], }, + { + name: 'Bootkit', + id: 'T1067', + reference: 'https://attack.mitre.org/techniques/T1067', + tactics: ['persistence'], + }, { name: 'Browser Bookmark Discovery', id: 'T1217', @@ -366,6 +432,30 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1612', tactics: ['defense-evasion'], }, + { + name: 'Bypass User Account Control', + id: 'T1088', + reference: 'https://attack.mitre.org/techniques/T1088', + tactics: ['defense-evasion', 'privilege-escalation'], + }, + { + name: 'CMSTP', + id: 'T1191', + reference: 'https://attack.mitre.org/techniques/T1191', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Change Default File Association', + id: 'T1042', + reference: 'https://attack.mitre.org/techniques/T1042', + tactics: ['persistence'], + }, + { + name: 'Clear Command History', + id: 'T1146', + reference: 'https://attack.mitre.org/techniques/T1146', + tactics: ['defense-evasion'], + }, { name: 'Clipboard Data', id: 'T1115', @@ -378,6 +468,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1580', tactics: ['discovery'], }, + { + name: 'Cloud Instance Metadata API', + id: 'T1522', + reference: 'https://attack.mitre.org/techniques/T1522', + tactics: ['credential-access'], + }, { name: 'Cloud Service Dashboard', id: 'T1538', @@ -396,6 +492,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1619', tactics: ['discovery'], }, + { + name: 'Code Signing', + id: 'T1116', + reference: 'https://attack.mitre.org/techniques/T1116', + tactics: ['defense-evasion'], + }, { name: 'Command and Scripting Interpreter', id: 'T1059', @@ -414,6 +516,30 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1092', tactics: ['command-and-control'], }, + { + name: 'Compile After Delivery', + id: 'T1500', + reference: 'https://attack.mitre.org/techniques/T1500', + tactics: ['defense-evasion'], + }, + { + name: 'Compiled HTML File', + id: 'T1223', + reference: 'https://attack.mitre.org/techniques/T1223', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Component Firmware', + id: 'T1109', + reference: 'https://attack.mitre.org/techniques/T1109', + tactics: ['defense-evasion', 'persistence'], + }, + { + name: 'Component Object Model Hijacking', + id: 'T1122', + reference: 'https://attack.mitre.org/techniques/T1122', + tactics: ['defense-evasion', 'persistence'], + }, { name: 'Component Object Model and Distributed COM', id: 'T1175', @@ -450,6 +576,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1613', tactics: ['discovery'], }, + { + name: 'Control Panel Items', + id: 'T1196', + reference: 'https://attack.mitre.org/techniques/T1196', + tactics: ['defense-evasion', 'execution'], + }, { name: 'Create Account', id: 'T1136', @@ -468,6 +600,54 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1555', tactics: ['credential-access'], }, + { + name: 'Credentials from Web Browsers', + id: 'T1503', + reference: 'https://attack.mitre.org/techniques/T1503', + tactics: ['credential-access'], + }, + { + name: 'Credentials in Files', + id: 'T1081', + reference: 'https://attack.mitre.org/techniques/T1081', + tactics: ['credential-access'], + }, + { + name: 'Credentials in Registry', + id: 'T1214', + reference: 'https://attack.mitre.org/techniques/T1214', + tactics: ['credential-access'], + }, + { + name: 'Custom Command and Control Protocol', + id: 'T1094', + reference: 'https://attack.mitre.org/techniques/T1094', + tactics: ['command-and-control'], + }, + { + name: 'Custom Cryptographic Protocol', + id: 'T1024', + reference: 'https://attack.mitre.org/techniques/T1024', + tactics: ['command-and-control'], + }, + { + name: 'DLL Search Order Hijacking', + id: 'T1038', + reference: 'https://attack.mitre.org/techniques/T1038', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + }, + { + name: 'DLL Side-Loading', + id: 'T1073', + reference: 'https://attack.mitre.org/techniques/T1073', + tactics: ['defense-evasion'], + }, + { + name: 'Data Compressed', + id: 'T1002', + reference: 'https://attack.mitre.org/techniques/T1002', + tactics: ['exfiltration'], + }, { name: 'Data Destruction', id: 'T1485', @@ -480,6 +660,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1132', tactics: ['command-and-control'], }, + { + name: 'Data Encrypted', + id: 'T1022', + reference: 'https://attack.mitre.org/techniques/T1022', + tactics: ['exfiltration'], + }, { name: 'Data Encrypted for Impact', id: 'T1486', @@ -546,6 +732,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1025', tactics: ['collection'], }, + { + name: 'Debugger Evasion', + id: 'T1622', + reference: 'https://attack.mitre.org/techniques/T1622', + tactics: ['defense-evasion', 'discovery'], + }, { name: 'Defacement', id: 'T1491', @@ -576,12 +768,42 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1006', tactics: ['defense-evasion'], }, + { + name: 'Disabling Security Tools', + id: 'T1089', + reference: 'https://attack.mitre.org/techniques/T1089', + tactics: ['defense-evasion'], + }, + { + name: 'Disk Content Wipe', + id: 'T1488', + reference: 'https://attack.mitre.org/techniques/T1488', + tactics: ['impact'], + }, + { + name: 'Disk Structure Wipe', + id: 'T1487', + reference: 'https://attack.mitre.org/techniques/T1487', + tactics: ['impact'], + }, { name: 'Disk Wipe', id: 'T1561', reference: 'https://attack.mitre.org/techniques/T1561', tactics: ['impact'], }, + { + name: 'Domain Fronting', + id: 'T1172', + reference: 'https://attack.mitre.org/techniques/T1172', + tactics: ['command-and-control'], + }, + { + name: 'Domain Generation Algorithms', + id: 'T1483', + reference: 'https://attack.mitre.org/techniques/T1483', + tactics: ['command-and-control'], + }, { name: 'Domain Policy Modification', id: 'T1484', @@ -600,18 +822,42 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1189', tactics: ['initial-access'], }, + { + name: 'Dylib Hijacking', + id: 'T1157', + reference: 'https://attack.mitre.org/techniques/T1157', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'Dynamic Data Exchange', + id: 'T1173', + reference: 'https://attack.mitre.org/techniques/T1173', + tactics: ['execution'], + }, { name: 'Dynamic Resolution', id: 'T1568', reference: 'https://attack.mitre.org/techniques/T1568', tactics: ['command-and-control'], }, + { + name: 'Elevated Execution with Prompt', + id: 'T1514', + reference: 'https://attack.mitre.org/techniques/T1514', + tactics: ['privilege-escalation'], + }, { name: 'Email Collection', id: 'T1114', reference: 'https://attack.mitre.org/techniques/T1114', tactics: ['collection'], }, + { + name: 'Emond', + id: 'T1519', + reference: 'https://attack.mitre.org/techniques/T1519', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Encrypted Channel', id: 'T1573', @@ -720,12 +966,30 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1133', tactics: ['persistence', 'initial-access'], }, + { + name: 'Extra Window Memory Injection', + id: 'T1181', + reference: 'https://attack.mitre.org/techniques/T1181', + tactics: ['defense-evasion', 'privilege-escalation'], + }, { name: 'Fallback Channels', id: 'T1008', reference: 'https://attack.mitre.org/techniques/T1008', tactics: ['command-and-control'], }, + { + name: 'File Deletion', + id: 'T1107', + reference: 'https://attack.mitre.org/techniques/T1107', + tactics: ['defense-evasion'], + }, + { + name: 'File System Permissions Weakness', + id: 'T1044', + reference: 'https://attack.mitre.org/techniques/T1044', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'File and Directory Discovery', id: 'T1083', @@ -756,6 +1020,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1606', tactics: ['credential-access'], }, + { + name: 'Gatekeeper Bypass', + id: 'T1144', + reference: 'https://attack.mitre.org/techniques/T1144', + tactics: ['defense-evasion'], + }, { name: 'Gather Victim Host Information', id: 'T1592', @@ -792,12 +1062,36 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1615', tactics: ['discovery'], }, + { + name: 'HISTCONTROL', + id: 'T1148', + reference: 'https://attack.mitre.org/techniques/T1148', + tactics: ['defense-evasion'], + }, { name: 'Hardware Additions', id: 'T1200', reference: 'https://attack.mitre.org/techniques/T1200', tactics: ['initial-access'], }, + { + name: 'Hidden Files and Directories', + id: 'T1158', + reference: 'https://attack.mitre.org/techniques/T1158', + tactics: ['defense-evasion', 'persistence'], + }, + { + name: 'Hidden Users', + id: 'T1147', + reference: 'https://attack.mitre.org/techniques/T1147', + tactics: ['defense-evasion'], + }, + { + name: 'Hidden Window', + id: 'T1143', + reference: 'https://attack.mitre.org/techniques/T1143', + tactics: ['defense-evasion'], + }, { name: 'Hide Artifacts', id: 'T1564', @@ -810,12 +1104,24 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1574', tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], }, + { + name: 'Hooking', + id: 'T1179', + reference: 'https://attack.mitre.org/techniques/T1179', + tactics: ['persistence', 'privilege-escalation', 'credential-access'], + }, { name: 'Hypervisor', id: 'T1062', reference: 'https://attack.mitre.org/techniques/T1062', tactics: ['persistence'], }, + { + name: 'Image File Execution Options Injection', + id: 'T1183', + reference: 'https://attack.mitre.org/techniques/T1183', + tactics: ['privilege-escalation', 'persistence', 'defense-evasion'], + }, { name: 'Impair Defenses', id: 'T1562', @@ -828,6 +1134,18 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1525', tactics: ['persistence'], }, + { + name: 'Indicator Blocking', + id: 'T1054', + reference: 'https://attack.mitre.org/techniques/T1054', + tactics: ['defense-evasion'], + }, + { + name: 'Indicator Removal from Tools', + id: 'T1066', + reference: 'https://attack.mitre.org/techniques/T1066', + tactics: ['defense-evasion'], + }, { name: 'Indicator Removal on Host', id: 'T1070', @@ -858,6 +1176,24 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1056', tactics: ['collection', 'credential-access'], }, + { + name: 'Input Prompt', + id: 'T1141', + reference: 'https://attack.mitre.org/techniques/T1141', + tactics: ['credential-access'], + }, + { + name: 'Install Root Certificate', + id: 'T1130', + reference: 'https://attack.mitre.org/techniques/T1130', + tactics: ['defense-evasion'], + }, + { + name: 'InstallUtil', + id: 'T1118', + reference: 'https://attack.mitre.org/techniques/T1118', + tactics: ['defense-evasion', 'execution'], + }, { name: 'Inter-Process Communication', id: 'T1559', @@ -870,18 +1206,90 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1534', tactics: ['lateral-movement'], }, + { + name: 'Kerberoasting', + id: 'T1208', + reference: 'https://attack.mitre.org/techniques/T1208', + tactics: ['credential-access'], + }, + { + name: 'Kernel Modules and Extensions', + id: 'T1215', + reference: 'https://attack.mitre.org/techniques/T1215', + tactics: ['persistence'], + }, + { + name: 'Keychain', + id: 'T1142', + reference: 'https://attack.mitre.org/techniques/T1142', + tactics: ['credential-access'], + }, + { + name: 'LC_LOAD_DYLIB Addition', + id: 'T1161', + reference: 'https://attack.mitre.org/techniques/T1161', + tactics: ['persistence'], + }, { name: 'LC_MAIN Hijacking', id: 'T1149', reference: 'https://attack.mitre.org/techniques/T1149', tactics: ['defense-evasion'], }, + { + name: 'LLMNR/NBT-NS Poisoning and Relay', + id: 'T1171', + reference: 'https://attack.mitre.org/techniques/T1171', + tactics: ['credential-access'], + }, + { + name: 'LSASS Driver', + id: 'T1177', + reference: 'https://attack.mitre.org/techniques/T1177', + tactics: ['execution', 'persistence'], + }, { name: 'Lateral Tool Transfer', id: 'T1570', reference: 'https://attack.mitre.org/techniques/T1570', tactics: ['lateral-movement'], }, + { + name: 'Launch Agent', + id: 'T1159', + reference: 'https://attack.mitre.org/techniques/T1159', + tactics: ['persistence'], + }, + { + name: 'Launch Daemon', + id: 'T1160', + reference: 'https://attack.mitre.org/techniques/T1160', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'Launchctl', + id: 'T1152', + reference: 'https://attack.mitre.org/techniques/T1152', + tactics: ['defense-evasion', 'execution', 'persistence'], + }, + { + name: 'Local Job Scheduling', + id: 'T1168', + reference: 'https://attack.mitre.org/techniques/T1168', + tactics: ['persistence', 'execution'], + }, + { + name: 'Login Item', + id: 'T1162', + reference: 'https://attack.mitre.org/techniques/T1162', + tactics: ['persistence'], + }, + { + name: 'Malicious Shell Modification', + id: 'T1156', + reference: 'https://attack.mitre.org/techniques/T1156', + tactics: ['persistence'], + }, { name: 'Masquerading', id: 'T1036', @@ -900,6 +1308,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1578', tactics: ['defense-evasion'], }, + { + name: 'Modify Existing Service', + id: 'T1031', + reference: 'https://attack.mitre.org/techniques/T1031', + tactics: ['persistence'], + }, { name: 'Modify Registry', id: 'T1112', @@ -913,9 +1327,33 @@ export const technique = [ tactics: ['defense-evasion'], }, { - name: 'Multi-Stage Channels', - id: 'T1104', - reference: 'https://attack.mitre.org/techniques/T1104', + name: 'Mshta', + id: 'T1170', + reference: 'https://attack.mitre.org/techniques/T1170', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Multi-Factor Authentication Interception', + id: 'T1111', + reference: 'https://attack.mitre.org/techniques/T1111', + tactics: ['credential-access'], + }, + { + name: 'Multi-Factor Authentication Request Generation', + id: 'T1621', + reference: 'https://attack.mitre.org/techniques/T1621', + tactics: ['credential-access'], + }, + { + name: 'Multi-Stage Channels', + id: 'T1104', + reference: 'https://attack.mitre.org/techniques/T1104', + tactics: ['command-and-control'], + }, + { + name: 'Multi-hop Proxy', + id: 'T1188', + reference: 'https://attack.mitre.org/techniques/T1188', tactics: ['command-and-control'], }, { @@ -924,12 +1362,30 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1026', tactics: ['command-and-control'], }, + { + name: 'Multilayer Encryption', + id: 'T1079', + reference: 'https://attack.mitre.org/techniques/T1079', + tactics: ['command-and-control'], + }, + { + name: 'NTFS File Attributes', + id: 'T1096', + reference: 'https://attack.mitre.org/techniques/T1096', + tactics: ['defense-evasion'], + }, { name: 'Native API', id: 'T1106', reference: 'https://attack.mitre.org/techniques/T1106', tactics: ['execution'], }, + { + name: 'Netsh Helper DLL', + id: 'T1128', + reference: 'https://attack.mitre.org/techniques/T1128', + tactics: ['persistence'], + }, { name: 'Network Boundary Bridging', id: 'T1599', @@ -943,11 +1399,17 @@ export const technique = [ tactics: ['impact'], }, { - name: 'Network Service Scanning', + name: 'Network Service Discovery', id: 'T1046', reference: 'https://attack.mitre.org/techniques/T1046', tactics: ['discovery'], }, + { + name: 'Network Share Connection Removal', + id: 'T1126', + reference: 'https://attack.mitre.org/techniques/T1126', + tactics: ['defense-evasion'], + }, { name: 'Network Share Discovery', id: 'T1135', @@ -960,6 +1422,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1040', tactics: ['credential-access', 'discovery'], }, + { + name: 'New Service', + id: 'T1050', + reference: 'https://attack.mitre.org/techniques/T1050', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Non-Application Layer Protocol', id: 'T1095', @@ -996,6 +1464,30 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1137', tactics: ['persistence'], }, + { + name: 'Parent PID Spoofing', + id: 'T1502', + reference: 'https://attack.mitre.org/techniques/T1502', + tactics: ['defense-evasion', 'privilege-escalation'], + }, + { + name: 'Pass the Hash', + id: 'T1075', + reference: 'https://attack.mitre.org/techniques/T1075', + tactics: ['lateral-movement'], + }, + { + name: 'Pass the Ticket', + id: 'T1097', + reference: 'https://attack.mitre.org/techniques/T1097', + tactics: ['lateral-movement'], + }, + { + name: 'Password Filter DLL', + id: 'T1174', + reference: 'https://attack.mitre.org/techniques/T1174', + tactics: ['credential-access'], + }, { name: 'Password Policy Discovery', id: 'T1201', @@ -1032,18 +1524,66 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1598', tactics: ['reconnaissance'], }, + { + name: 'Plist File Modification', + id: 'T1647', + reference: 'https://attack.mitre.org/techniques/T1647', + tactics: ['defense-evasion'], + }, + { + name: 'Plist Modification', + id: 'T1150', + reference: 'https://attack.mitre.org/techniques/T1150', + tactics: ['defense-evasion', 'persistence', 'privilege-escalation'], + }, + { + name: 'Port Monitors', + id: 'T1013', + reference: 'https://attack.mitre.org/techniques/T1013', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'PowerShell', + id: 'T1086', + reference: 'https://attack.mitre.org/techniques/T1086', + tactics: ['execution'], + }, + { + name: 'PowerShell Profile', + id: 'T1504', + reference: 'https://attack.mitre.org/techniques/T1504', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Pre-OS Boot', id: 'T1542', reference: 'https://attack.mitre.org/techniques/T1542', tactics: ['defense-evasion', 'persistence'], }, + { + name: 'Private Keys', + id: 'T1145', + reference: 'https://attack.mitre.org/techniques/T1145', + tactics: ['credential-access'], + }, { name: 'Process Discovery', id: 'T1057', reference: 'https://attack.mitre.org/techniques/T1057', tactics: ['discovery'], }, + { + name: 'Process Doppelgänging', + id: 'T1186', + reference: 'https://attack.mitre.org/techniques/T1186', + tactics: ['defense-evasion'], + }, + { + name: 'Process Hollowing', + id: 'T1093', + reference: 'https://attack.mitre.org/techniques/T1093', + tactics: ['defense-evasion'], + }, { name: 'Process Injection', id: 'T1055', @@ -1068,6 +1608,18 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1012', tactics: ['discovery'], }, + { + name: 'Rc.common', + id: 'T1163', + reference: 'https://attack.mitre.org/techniques/T1163', + tactics: ['persistence'], + }, + { + name: 'Re-opened Applications', + id: 'T1164', + reference: 'https://attack.mitre.org/techniques/T1164', + tactics: ['persistence'], + }, { name: 'Redundant Access', id: 'T1108', @@ -1080,12 +1632,36 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1620', tactics: ['defense-evasion'], }, + { + name: 'Registry Run Keys / Startup Folder', + id: 'T1060', + reference: 'https://attack.mitre.org/techniques/T1060', + tactics: ['persistence'], + }, + { + name: 'Regsvcs/Regasm', + id: 'T1121', + reference: 'https://attack.mitre.org/techniques/T1121', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Regsvr32', + id: 'T1117', + reference: 'https://attack.mitre.org/techniques/T1117', + tactics: ['defense-evasion', 'execution'], + }, { name: 'Remote Access Software', id: 'T1219', reference: 'https://attack.mitre.org/techniques/T1219', tactics: ['command-and-control'], }, + { + name: 'Remote Desktop Protocol', + id: 'T1076', + reference: 'https://attack.mitre.org/techniques/T1076', + tactics: ['lateral-movement'], + }, { name: 'Remote Service Session Hijacking', id: 'T1563', @@ -1116,6 +1692,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1496', tactics: ['impact'], }, + { + name: 'Revert Cloud Instance', + id: 'T1536', + reference: 'https://attack.mitre.org/techniques/T1536', + tactics: ['defense-evasion'], + }, { name: 'Rogue Domain Controller', id: 'T1207', @@ -1128,6 +1710,36 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1014', tactics: ['defense-evasion'], }, + { + name: 'Rundll32', + id: 'T1085', + reference: 'https://attack.mitre.org/techniques/T1085', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Runtime Data Manipulation', + id: 'T1494', + reference: 'https://attack.mitre.org/techniques/T1494', + tactics: ['impact'], + }, + { + name: 'SID-History Injection', + id: 'T1178', + reference: 'https://attack.mitre.org/techniques/T1178', + tactics: ['privilege-escalation'], + }, + { + name: 'SIP and Trust Provider Hijacking', + id: 'T1198', + reference: 'https://attack.mitre.org/techniques/T1198', + tactics: ['defense-evasion', 'persistence'], + }, + { + name: 'SSH Hijacking', + id: 'T1184', + reference: 'https://attack.mitre.org/techniques/T1184', + tactics: ['lateral-movement'], + }, { name: 'Scheduled Task/Job', id: 'T1053', @@ -1146,6 +1758,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1113', tactics: ['collection'], }, + { + name: 'Screensaver', + id: 'T1180', + reference: 'https://attack.mitre.org/techniques/T1180', + tactics: ['persistence'], + }, { name: 'Scripting', id: 'T1064', @@ -1176,18 +1794,54 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1594', tactics: ['reconnaissance'], }, + { + name: 'Security Software Discovery', + id: 'T1063', + reference: 'https://attack.mitre.org/techniques/T1063', + tactics: ['discovery'], + }, + { + name: 'Security Support Provider', + id: 'T1101', + reference: 'https://attack.mitre.org/techniques/T1101', + tactics: ['persistence'], + }, + { + name: 'Securityd Memory', + id: 'T1167', + reference: 'https://attack.mitre.org/techniques/T1167', + tactics: ['credential-access'], + }, { name: 'Server Software Component', id: 'T1505', reference: 'https://attack.mitre.org/techniques/T1505', tactics: ['persistence'], }, + { + name: 'Service Execution', + id: 'T1035', + reference: 'https://attack.mitre.org/techniques/T1035', + tactics: ['execution'], + }, + { + name: 'Service Registry Permissions Weakness', + id: 'T1058', + reference: 'https://attack.mitre.org/techniques/T1058', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Service Stop', id: 'T1489', reference: 'https://attack.mitre.org/techniques/T1489', tactics: ['impact'], }, + { + name: 'Setuid and Setgid', + id: 'T1166', + reference: 'https://attack.mitre.org/techniques/T1166', + tactics: ['privilege-escalation', 'persistence'], + }, { name: 'Shared Modules', id: 'T1129', @@ -1201,16 +1855,10 @@ export const technique = [ tactics: ['lateral-movement'], }, { - name: 'Signed Binary Proxy Execution', - id: 'T1218', - reference: 'https://attack.mitre.org/techniques/T1218', - tactics: ['defense-evasion'], - }, - { - name: 'Signed Script Proxy Execution', - id: 'T1216', - reference: 'https://attack.mitre.org/techniques/T1216', - tactics: ['defense-evasion'], + name: 'Shortcut Modification', + id: 'T1023', + reference: 'https://attack.mitre.org/techniques/T1023', + tactics: ['persistence'], }, { name: 'Software Deployment Tools', @@ -1224,18 +1872,60 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1518', tactics: ['discovery'], }, + { + name: 'Software Packing', + id: 'T1045', + reference: 'https://attack.mitre.org/techniques/T1045', + tactics: ['defense-evasion'], + }, { name: 'Source', id: 'T1153', reference: 'https://attack.mitre.org/techniques/T1153', tactics: ['execution'], }, + { + name: 'Space after Filename', + id: 'T1151', + reference: 'https://attack.mitre.org/techniques/T1151', + tactics: ['defense-evasion', 'execution'], + }, + { + name: 'Spearphishing Attachment', + id: 'T1193', + reference: 'https://attack.mitre.org/techniques/T1193', + tactics: ['initial-access'], + }, + { + name: 'Spearphishing Link', + id: 'T1192', + reference: 'https://attack.mitre.org/techniques/T1192', + tactics: ['initial-access'], + }, + { + name: 'Spearphishing via Service', + id: 'T1194', + reference: 'https://attack.mitre.org/techniques/T1194', + tactics: ['initial-access'], + }, { name: 'Stage Capabilities', id: 'T1608', reference: 'https://attack.mitre.org/techniques/T1608', tactics: ['resource-development'], }, + { + name: 'Standard Cryptographic Protocol', + id: 'T1032', + reference: 'https://attack.mitre.org/techniques/T1032', + tactics: ['command-and-control'], + }, + { + name: 'Startup Items', + id: 'T1165', + reference: 'https://attack.mitre.org/techniques/T1165', + tactics: ['persistence', 'privilege-escalation'], + }, { name: 'Steal Application Access Token', id: 'T1528', @@ -1254,18 +1944,48 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1558', tactics: ['credential-access'], }, + { + name: 'Stored Data Manipulation', + id: 'T1492', + reference: 'https://attack.mitre.org/techniques/T1492', + tactics: ['impact'], + }, { name: 'Subvert Trust Controls', id: 'T1553', reference: 'https://attack.mitre.org/techniques/T1553', tactics: ['defense-evasion'], }, + { + name: 'Sudo', + id: 'T1169', + reference: 'https://attack.mitre.org/techniques/T1169', + tactics: ['privilege-escalation'], + }, + { + name: 'Sudo Caching', + id: 'T1206', + reference: 'https://attack.mitre.org/techniques/T1206', + tactics: ['privilege-escalation'], + }, { name: 'Supply Chain Compromise', id: 'T1195', reference: 'https://attack.mitre.org/techniques/T1195', tactics: ['initial-access'], }, + { + name: 'System Binary Proxy Execution', + id: 'T1218', + reference: 'https://attack.mitre.org/techniques/T1218', + tactics: ['defense-evasion'], + }, + { + name: 'System Firmware', + id: 'T1019', + reference: 'https://attack.mitre.org/techniques/T1019', + tactics: ['persistence'], + }, { name: 'System Information Discovery', id: 'T1082', @@ -1296,6 +2016,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1033', tactics: ['discovery'], }, + { + name: 'System Script Proxy Execution', + id: 'T1216', + reference: 'https://attack.mitre.org/techniques/T1216', + tactics: ['defense-evasion'], + }, { name: 'System Service Discovery', id: 'T1007', @@ -1320,6 +2046,12 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1124', tactics: ['discovery'], }, + { + name: 'Systemd Service', + id: 'T1501', + reference: 'https://attack.mitre.org/techniques/T1501', + tactics: ['persistence'], + }, { name: 'Taint Shared Content', id: 'T1080', @@ -1332,6 +2064,18 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1221', tactics: ['defense-evasion'], }, + { + name: 'Time Providers', + id: 'T1209', + reference: 'https://attack.mitre.org/techniques/T1209', + tactics: ['persistence'], + }, + { + name: 'Timestomp', + id: 'T1099', + reference: 'https://attack.mitre.org/techniques/T1099', + tactics: ['defense-evasion'], + }, { name: 'Traffic Signaling', id: 'T1205', @@ -1344,6 +2088,18 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1537', tactics: ['exfiltration'], }, + { + name: 'Transmitted Data Manipulation', + id: 'T1493', + reference: 'https://attack.mitre.org/techniques/T1493', + tactics: ['impact'], + }, + { + name: 'Trap', + id: 'T1154', + reference: 'https://attack.mitre.org/techniques/T1154', + tactics: ['execution', 'persistence'], + }, { name: 'Trusted Developer Utilities Proxy Execution', id: 'T1127', @@ -1357,10 +2113,10 @@ export const technique = [ tactics: ['initial-access'], }, { - name: 'Two-Factor Authentication Interception', - id: 'T1111', - reference: 'https://attack.mitre.org/techniques/T1111', - tactics: ['credential-access'], + name: 'Uncommonly Used Port', + id: 'T1065', + reference: 'https://attack.mitre.org/techniques/T1065', + tactics: ['command-and-control'], }, { name: 'Unsecured Credentials', @@ -1416,6 +2172,24 @@ export const technique = [ reference: 'https://attack.mitre.org/techniques/T1102', tactics: ['command-and-control'], }, + { + name: 'Web Session Cookie', + id: 'T1506', + reference: 'https://attack.mitre.org/techniques/T1506', + tactics: ['defense-evasion', 'lateral-movement'], + }, + { + name: 'Web Shell', + id: 'T1100', + reference: 'https://attack.mitre.org/techniques/T1100', + tactics: ['persistence', 'privilege-escalation'], + }, + { + name: 'Windows Admin Shares', + id: 'T1077', + reference: 'https://attack.mitre.org/techniques/T1077', + tactics: ['lateral-movement'], + }, { name: 'Windows Management Instrumentation', id: 'T1047', @@ -1423,10 +2197,28 @@ export const technique = [ tactics: ['execution'], }, { - name: 'XSL Script Processing', - id: 'T1220', - reference: 'https://attack.mitre.org/techniques/T1220', - tactics: ['defense-evasion'], + name: 'Windows Management Instrumentation Event Subscription', + id: 'T1084', + reference: 'https://attack.mitre.org/techniques/T1084', + tactics: ['persistence'], + }, + { + name: 'Windows Remote Management', + id: 'T1028', + reference: 'https://attack.mitre.org/techniques/T1028', + tactics: ['execution', 'lateral-movement'], + }, + { + name: 'Winlogon Helper DLL', + id: 'T1004', + reference: 'https://attack.mitre.org/techniques/T1004', + tactics: ['persistence'], + }, + { + name: 'XSL Script Processing', + id: 'T1220', + reference: 'https://attack.mitre.org/techniques/T1220', + tactics: ['defense-evasion'], }, ]; @@ -1453,6 +2245,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion,privilege-escalation', value: 'accessTokenManipulation', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.accessibilityFeaturesDescription', + { defaultMessage: 'Accessibility Features (T1015)' } + ), + id: 'T1015', + name: 'Accessibility Features', + reference: 'https://attack.mitre.org/techniques/T1015', + tactics: 'persistence,privilege-escalation', + value: 'accessibilityFeatures', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.accountAccessRemovalDescription', @@ -1519,6 +2322,61 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'credential-access,collection', value: 'adversaryInTheMiddle', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.appCertDlLsDescription', + { defaultMessage: 'AppCert DLLs (T1182)' } + ), + id: 'T1182', + name: 'AppCert DLLs', + reference: 'https://attack.mitre.org/techniques/T1182', + tactics: 'persistence,privilege-escalation', + value: 'appCertDlLs', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.appInitDlLsDescription', + { defaultMessage: 'AppInit DLLs (T1103)' } + ), + id: 'T1103', + name: 'AppInit DLLs', + reference: 'https://attack.mitre.org/techniques/T1103', + tactics: 'persistence,privilege-escalation', + value: 'appInitDlLs', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.appleScriptDescription', + { defaultMessage: 'AppleScript (T1155)' } + ), + id: 'T1155', + name: 'AppleScript', + reference: 'https://attack.mitre.org/techniques/T1155', + tactics: 'execution', + value: 'appleScript', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.applicationAccessTokenDescription', + { defaultMessage: 'Application Access Token (T1527)' } + ), + id: 'T1527', + name: 'Application Access Token', + reference: 'https://attack.mitre.org/techniques/T1527', + tactics: 'defense-evasion,lateral-movement', + value: 'applicationAccessToken', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.applicationDeploymentSoftwareDescription', + { defaultMessage: 'Application Deployment Software (T1017)' } + ), + id: 'T1017', + name: 'Application Deployment Software', + reference: 'https://attack.mitre.org/techniques/T1017', + tactics: 'lateral-movement', + value: 'applicationDeploymentSoftware', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.applicationLayerProtocolDescription', @@ -1530,6 +2388,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'applicationLayerProtocol', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.applicationShimmingDescription', + { defaultMessage: 'Application Shimming (T1138)' } + ), + id: 'T1138', + name: 'Application Shimming', + reference: 'https://attack.mitre.org/techniques/T1138', + tactics: 'persistence,privilege-escalation', + value: 'applicationShimming', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.applicationWindowDiscoveryDescription', @@ -1563,6 +2432,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'collection', value: 'audioCapture', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.authenticationPackageDescription', + { defaultMessage: 'Authentication Package (T1131)' } + ), + id: 'T1131', + name: 'Authentication Package', + reference: 'https://attack.mitre.org/techniques/T1131', + tactics: 'persistence', + value: 'authenticationPackage', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.automatedCollectionDescription', @@ -1596,6 +2476,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion,persistence', value: 'bitsJobs', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.bashHistoryDescription', + { defaultMessage: 'Bash History (T1139)' } + ), + id: 'T1139', + name: 'Bash History', + reference: 'https://attack.mitre.org/techniques/T1139', + tactics: 'credential-access', + value: 'bashHistory', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.binaryPaddingDescription', + { defaultMessage: 'Binary Padding (T1009)' } + ), + id: 'T1009', + name: 'Binary Padding', + reference: 'https://attack.mitre.org/techniques/T1009', + tactics: 'defense-evasion', + value: 'binaryPadding', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonAutostartExecutionDescription', @@ -1618,6 +2520,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence,privilege-escalation', value: 'bootOrLogonInitializationScripts', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootkitDescription', + { defaultMessage: 'Bootkit (T1067)' } + ), + id: 'T1067', + name: 'Bootkit', + reference: 'https://attack.mitre.org/techniques/T1067', + tactics: 'persistence', + value: 'bootkit', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserBookmarkDiscoveryDescription', @@ -1673,6 +2586,50 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'buildImageOnHost', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.bypassUserAccountControlDescription', + { defaultMessage: 'Bypass User Account Control (T1088)' } + ), + id: 'T1088', + name: 'Bypass User Account Control', + reference: 'https://attack.mitre.org/techniques/T1088', + tactics: 'defense-evasion,privilege-escalation', + value: 'bypassUserAccountControl', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.cmstpDescription', + { defaultMessage: 'CMSTP (T1191)' } + ), + id: 'T1191', + name: 'CMSTP', + reference: 'https://attack.mitre.org/techniques/T1191', + tactics: 'defense-evasion,execution', + value: 'cmstp', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.changeDefaultFileAssociationDescription', + { defaultMessage: 'Change Default File Association (T1042)' } + ), + id: 'T1042', + name: 'Change Default File Association', + reference: 'https://attack.mitre.org/techniques/T1042', + tactics: 'persistence', + value: 'changeDefaultFileAssociation', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.clearCommandHistoryDescription', + { defaultMessage: 'Clear Command History (T1146)' } + ), + id: 'T1146', + name: 'Clear Command History', + reference: 'https://attack.mitre.org/techniques/T1146', + tactics: 'defense-evasion', + value: 'clearCommandHistory', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.clipboardDataDescription', @@ -1695,6 +2652,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'cloudInfrastructureDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.cloudInstanceMetadataApiDescription', + { defaultMessage: 'Cloud Instance Metadata API (T1522)' } + ), + id: 'T1522', + name: 'Cloud Instance Metadata API', + reference: 'https://attack.mitre.org/techniques/T1522', + tactics: 'credential-access', + value: 'cloudInstanceMetadataApi', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.cloudServiceDashboardDescription', @@ -1728,6 +2696,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'cloudStorageObjectDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.codeSigningDescription', + { defaultMessage: 'Code Signing (T1116)' } + ), + id: 'T1116', + name: 'Code Signing', + reference: 'https://attack.mitre.org/techniques/T1116', + tactics: 'defense-evasion', + value: 'codeSigning', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.commandAndScriptingInterpreterDescription', @@ -1761,6 +2740,50 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'communicationThroughRemovableMedia', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.compileAfterDeliveryDescription', + { defaultMessage: 'Compile After Delivery (T1500)' } + ), + id: 'T1500', + name: 'Compile After Delivery', + reference: 'https://attack.mitre.org/techniques/T1500', + tactics: 'defense-evasion', + value: 'compileAfterDelivery', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.compiledHtmlFileDescription', + { defaultMessage: 'Compiled HTML File (T1223)' } + ), + id: 'T1223', + name: 'Compiled HTML File', + reference: 'https://attack.mitre.org/techniques/T1223', + tactics: 'defense-evasion,execution', + value: 'compiledHtmlFile', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.componentFirmwareDescription', + { defaultMessage: 'Component Firmware (T1109)' } + ), + id: 'T1109', + name: 'Component Firmware', + reference: 'https://attack.mitre.org/techniques/T1109', + tactics: 'defense-evasion,persistence', + value: 'componentFirmware', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.componentObjectModelHijackingDescription', + { defaultMessage: 'Component Object Model Hijacking (T1122)' } + ), + id: 'T1122', + name: 'Component Object Model Hijacking', + reference: 'https://attack.mitre.org/techniques/T1122', + tactics: 'defense-evasion,persistence', + value: 'componentObjectModelHijacking', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.componentObjectModelAndDistributedComDescription', @@ -1827,6 +2850,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'containerAndResourceDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.controlPanelItemsDescription', + { defaultMessage: 'Control Panel Items (T1196)' } + ), + id: 'T1196', + name: 'Control Panel Items', + reference: 'https://attack.mitre.org/techniques/T1196', + tactics: 'defense-evasion,execution', + value: 'controlPanelItems', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.createAccountDescription', @@ -1860,6 +2894,94 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'credential-access', value: 'credentialsFromPasswordStores', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.credentialsFromWebBrowsersDescription', + { defaultMessage: 'Credentials from Web Browsers (T1503)' } + ), + id: 'T1503', + name: 'Credentials from Web Browsers', + reference: 'https://attack.mitre.org/techniques/T1503', + tactics: 'credential-access', + value: 'credentialsFromWebBrowsers', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.credentialsInFilesDescription', + { defaultMessage: 'Credentials in Files (T1081)' } + ), + id: 'T1081', + name: 'Credentials in Files', + reference: 'https://attack.mitre.org/techniques/T1081', + tactics: 'credential-access', + value: 'credentialsInFiles', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.credentialsInRegistryDescription', + { defaultMessage: 'Credentials in Registry (T1214)' } + ), + id: 'T1214', + name: 'Credentials in Registry', + reference: 'https://attack.mitre.org/techniques/T1214', + tactics: 'credential-access', + value: 'credentialsInRegistry', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.customCommandAndControlProtocolDescription', + { defaultMessage: 'Custom Command and Control Protocol (T1094)' } + ), + id: 'T1094', + name: 'Custom Command and Control Protocol', + reference: 'https://attack.mitre.org/techniques/T1094', + tactics: 'command-and-control', + value: 'customCommandAndControlProtocol', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.customCryptographicProtocolDescription', + { defaultMessage: 'Custom Cryptographic Protocol (T1024)' } + ), + id: 'T1024', + name: 'Custom Cryptographic Protocol', + reference: 'https://attack.mitre.org/techniques/T1024', + tactics: 'command-and-control', + value: 'customCryptographicProtocol', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dllSearchOrderHijackingDescription', + { defaultMessage: 'DLL Search Order Hijacking (T1038)' } + ), + id: 'T1038', + name: 'DLL Search Order Hijacking', + reference: 'https://attack.mitre.org/techniques/T1038', + tactics: 'persistence,privilege-escalation,defense-evasion', + value: 'dllSearchOrderHijacking', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dllSideLoadingDescription', + { defaultMessage: 'DLL Side-Loading (T1073)' } + ), + id: 'T1073', + name: 'DLL Side-Loading', + reference: 'https://attack.mitre.org/techniques/T1073', + tactics: 'defense-evasion', + value: 'dllSideLoading', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dataCompressedDescription', + { defaultMessage: 'Data Compressed (T1002)' } + ), + id: 'T1002', + name: 'Data Compressed', + reference: 'https://attack.mitre.org/techniques/T1002', + tactics: 'exfiltration', + value: 'dataCompressed', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dataDestructionDescription', @@ -1882,6 +3004,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'dataEncoding', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dataEncryptedDescription', + { defaultMessage: 'Data Encrypted (T1022)' } + ), + id: 'T1022', + name: 'Data Encrypted', + reference: 'https://attack.mitre.org/techniques/T1022', + tactics: 'exfiltration', + value: 'dataEncrypted', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dataEncryptedForImpactDescription', @@ -2003,6 +3136,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'collection', value: 'dataFromRemovableMedia', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.debuggerEvasionDescription', + { defaultMessage: 'Debugger Evasion (T1622)' } + ), + id: 'T1622', + name: 'Debugger Evasion', + reference: 'https://attack.mitre.org/techniques/T1622', + tactics: 'defense-evasion,discovery', + value: 'debuggerEvasion', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.defacementDescription', @@ -2058,6 +3202,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'directVolumeAccess', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.disablingSecurityToolsDescription', + { defaultMessage: 'Disabling Security Tools (T1089)' } + ), + id: 'T1089', + name: 'Disabling Security Tools', + reference: 'https://attack.mitre.org/techniques/T1089', + tactics: 'defense-evasion', + value: 'disablingSecurityTools', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.diskContentWipeDescription', + { defaultMessage: 'Disk Content Wipe (T1488)' } + ), + id: 'T1488', + name: 'Disk Content Wipe', + reference: 'https://attack.mitre.org/techniques/T1488', + tactics: 'impact', + value: 'diskContentWipe', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.diskStructureWipeDescription', + { defaultMessage: 'Disk Structure Wipe (T1487)' } + ), + id: 'T1487', + name: 'Disk Structure Wipe', + reference: 'https://attack.mitre.org/techniques/T1487', + tactics: 'impact', + value: 'diskStructureWipe', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.diskWipeDescription', @@ -2071,19 +3248,41 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainPolicyModificationDescription', - { defaultMessage: 'Domain Policy Modification (T1484)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainFrontingDescription', + { defaultMessage: 'Domain Fronting (T1172)' } ), - id: 'T1484', - name: 'Domain Policy Modification', - reference: 'https://attack.mitre.org/techniques/T1484', - tactics: 'defense-evasion,privilege-escalation', - value: 'domainPolicyModification', + id: 'T1172', + name: 'Domain Fronting', + reference: 'https://attack.mitre.org/techniques/T1172', + tactics: 'command-and-control', + value: 'domainFronting', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainTrustDiscoveryDescription', - { defaultMessage: 'Domain Trust Discovery (T1482)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainGenerationAlgorithmsDescription', + { defaultMessage: 'Domain Generation Algorithms (T1483)' } + ), + id: 'T1483', + name: 'Domain Generation Algorithms', + reference: 'https://attack.mitre.org/techniques/T1483', + tactics: 'command-and-control', + value: 'domainGenerationAlgorithms', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainPolicyModificationDescription', + { defaultMessage: 'Domain Policy Modification (T1484)' } + ), + id: 'T1484', + name: 'Domain Policy Modification', + reference: 'https://attack.mitre.org/techniques/T1484', + tactics: 'defense-evasion,privilege-escalation', + value: 'domainPolicyModification', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.domainTrustDiscoveryDescription', + { defaultMessage: 'Domain Trust Discovery (T1482)' } ), id: 'T1482', name: 'Domain Trust Discovery', @@ -2102,6 +3301,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'initial-access', value: 'driveByCompromise', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dylibHijackingDescription', + { defaultMessage: 'Dylib Hijacking (T1157)' } + ), + id: 'T1157', + name: 'Dylib Hijacking', + reference: 'https://attack.mitre.org/techniques/T1157', + tactics: 'persistence,privilege-escalation', + value: 'dylibHijacking', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dynamicDataExchangeDescription', + { defaultMessage: 'Dynamic Data Exchange (T1173)' } + ), + id: 'T1173', + name: 'Dynamic Data Exchange', + reference: 'https://attack.mitre.org/techniques/T1173', + tactics: 'execution', + value: 'dynamicDataExchange', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.dynamicResolutionDescription', @@ -2113,6 +3334,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'dynamicResolution', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.elevatedExecutionWithPromptDescription', + { defaultMessage: 'Elevated Execution with Prompt (T1514)' } + ), + id: 'T1514', + name: 'Elevated Execution with Prompt', + reference: 'https://attack.mitre.org/techniques/T1514', + tactics: 'privilege-escalation', + value: 'elevatedExecutionWithPrompt', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.emailCollectionDescription', @@ -2124,6 +3356,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'collection', value: 'emailCollection', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.emondDescription', + { defaultMessage: 'Emond (T1519)' } + ), + id: 'T1519', + name: 'Emond', + reference: 'https://attack.mitre.org/techniques/T1519', + tactics: 'persistence,privilege-escalation', + value: 'emond', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.encryptedChannelDescription', @@ -2322,6 +3565,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence,initial-access', value: 'externalRemoteServices', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.extraWindowMemoryInjectionDescription', + { defaultMessage: 'Extra Window Memory Injection (T1181)' } + ), + id: 'T1181', + name: 'Extra Window Memory Injection', + reference: 'https://attack.mitre.org/techniques/T1181', + tactics: 'defense-evasion,privilege-escalation', + value: 'extraWindowMemoryInjection', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.fallbackChannelsDescription', @@ -2333,6 +3587,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'fallbackChannels', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.fileDeletionDescription', + { defaultMessage: 'File Deletion (T1107)' } + ), + id: 'T1107', + name: 'File Deletion', + reference: 'https://attack.mitre.org/techniques/T1107', + tactics: 'defense-evasion', + value: 'fileDeletion', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.fileSystemPermissionsWeaknessDescription', + { defaultMessage: 'File System Permissions Weakness (T1044)' } + ), + id: 'T1044', + name: 'File System Permissions Weakness', + reference: 'https://attack.mitre.org/techniques/T1044', + tactics: 'persistence,privilege-escalation', + value: 'fileSystemPermissionsWeakness', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.fileAndDirectoryDiscoveryDescription', @@ -2388,6 +3664,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'credential-access', value: 'forgeWebCredentials', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatekeeperBypassDescription', + { defaultMessage: 'Gatekeeper Bypass (T1144)' } + ), + id: 'T1144', + name: 'Gatekeeper Bypass', + reference: 'https://attack.mitre.org/techniques/T1144', + tactics: 'defense-evasion', + value: 'gatekeeperBypass', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.gatherVictimHostInformationDescription', @@ -2454,6 +3741,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'groupPolicyDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.histcontrolDescription', + { defaultMessage: 'HISTCONTROL (T1148)' } + ), + id: 'T1148', + name: 'HISTCONTROL', + reference: 'https://attack.mitre.org/techniques/T1148', + tactics: 'defense-evasion', + value: 'histcontrol', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hardwareAdditionsDescription', @@ -2465,6 +3763,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'initial-access', value: 'hardwareAdditions', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hiddenFilesAndDirectoriesDescription', + { defaultMessage: 'Hidden Files and Directories (T1158)' } + ), + id: 'T1158', + name: 'Hidden Files and Directories', + reference: 'https://attack.mitre.org/techniques/T1158', + tactics: 'defense-evasion,persistence', + value: 'hiddenFilesAndDirectories', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hiddenUsersDescription', + { defaultMessage: 'Hidden Users (T1147)' } + ), + id: 'T1147', + name: 'Hidden Users', + reference: 'https://attack.mitre.org/techniques/T1147', + tactics: 'defense-evasion', + value: 'hiddenUsers', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hiddenWindowDescription', + { defaultMessage: 'Hidden Window (T1143)' } + ), + id: 'T1143', + name: 'Hidden Window', + reference: 'https://attack.mitre.org/techniques/T1143', + tactics: 'defense-evasion', + value: 'hiddenWindow', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hideArtifactsDescription', @@ -2487,6 +3818,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence,privilege-escalation,defense-evasion', value: 'hijackExecutionFlow', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hookingDescription', + { defaultMessage: 'Hooking (T1179)' } + ), + id: 'T1179', + name: 'Hooking', + reference: 'https://attack.mitre.org/techniques/T1179', + tactics: 'persistence,privilege-escalation,credential-access', + value: 'hooking', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.hypervisorDescription', @@ -2498,6 +3840,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence', value: 'hypervisor', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.imageFileExecutionOptionsInjectionDescription', + { defaultMessage: 'Image File Execution Options Injection (T1183)' } + ), + id: 'T1183', + name: 'Image File Execution Options Injection', + reference: 'https://attack.mitre.org/techniques/T1183', + tactics: 'privilege-escalation,persistence,defense-evasion', + value: 'imageFileExecutionOptionsInjection', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.impairDefensesDescription', @@ -2520,6 +3873,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence', value: 'implantInternalImage', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.indicatorBlockingDescription', + { defaultMessage: 'Indicator Blocking (T1054)' } + ), + id: 'T1054', + name: 'Indicator Blocking', + reference: 'https://attack.mitre.org/techniques/T1054', + tactics: 'defense-evasion', + value: 'indicatorBlocking', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.indicatorRemovalFromToolsDescription', + { defaultMessage: 'Indicator Removal from Tools (T1066)' } + ), + id: 'T1066', + name: 'Indicator Removal from Tools', + reference: 'https://attack.mitre.org/techniques/T1066', + tactics: 'defense-evasion', + value: 'indicatorRemovalFromTools', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.indicatorRemovalOnHostDescription', @@ -2575,6 +3950,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'collection,credential-access', value: 'inputCapture', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.inputPromptDescription', + { defaultMessage: 'Input Prompt (T1141)' } + ), + id: 'T1141', + name: 'Input Prompt', + reference: 'https://attack.mitre.org/techniques/T1141', + tactics: 'credential-access', + value: 'inputPrompt', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.installRootCertificateDescription', + { defaultMessage: 'Install Root Certificate (T1130)' } + ), + id: 'T1130', + name: 'Install Root Certificate', + reference: 'https://attack.mitre.org/techniques/T1130', + tactics: 'defense-evasion', + value: 'installRootCertificate', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.installUtilDescription', + { defaultMessage: 'InstallUtil (T1118)' } + ), + id: 'T1118', + name: 'InstallUtil', + reference: 'https://attack.mitre.org/techniques/T1118', + tactics: 'defense-evasion,execution', + value: 'installUtil', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.interProcessCommunicationDescription', @@ -2597,6 +4005,50 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'lateral-movement', value: 'internalSpearphishing', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.kerberoastingDescription', + { defaultMessage: 'Kerberoasting (T1208)' } + ), + id: 'T1208', + name: 'Kerberoasting', + reference: 'https://attack.mitre.org/techniques/T1208', + tactics: 'credential-access', + value: 'kerberoasting', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.kernelModulesAndExtensionsDescription', + { defaultMessage: 'Kernel Modules and Extensions (T1215)' } + ), + id: 'T1215', + name: 'Kernel Modules and Extensions', + reference: 'https://attack.mitre.org/techniques/T1215', + tactics: 'persistence', + value: 'kernelModulesAndExtensions', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.keychainDescription', + { defaultMessage: 'Keychain (T1142)' } + ), + id: 'T1142', + name: 'Keychain', + reference: 'https://attack.mitre.org/techniques/T1142', + tactics: 'credential-access', + value: 'keychain', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.lcLoadDylibAdditionDescription', + { defaultMessage: 'LC_LOAD_DYLIB Addition (T1161)' } + ), + id: 'T1161', + name: 'LC_LOAD_DYLIB Addition', + reference: 'https://attack.mitre.org/techniques/T1161', + tactics: 'persistence', + value: 'lcLoadDylibAddition', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.lcMainHijackingDescription', @@ -2608,6 +4060,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'lcMainHijacking', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.llmnrNbtNsPoisoningAndRelayDescription', + { defaultMessage: 'LLMNR/NBT-NS Poisoning and Relay (T1171)' } + ), + id: 'T1171', + name: 'LLMNR/NBT-NS Poisoning and Relay', + reference: 'https://attack.mitre.org/techniques/T1171', + tactics: 'credential-access', + value: 'llmnrNbtNsPoisoningAndRelay', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.lsassDriverDescription', + { defaultMessage: 'LSASS Driver (T1177)' } + ), + id: 'T1177', + name: 'LSASS Driver', + reference: 'https://attack.mitre.org/techniques/T1177', + tactics: 'execution,persistence', + value: 'lsassDriver', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.lateralToolTransferDescription', @@ -2619,6 +4093,72 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'lateral-movement', value: 'lateralToolTransfer', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.launchAgentDescription', + { defaultMessage: 'Launch Agent (T1159)' } + ), + id: 'T1159', + name: 'Launch Agent', + reference: 'https://attack.mitre.org/techniques/T1159', + tactics: 'persistence', + value: 'launchAgent', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.launchDaemonDescription', + { defaultMessage: 'Launch Daemon (T1160)' } + ), + id: 'T1160', + name: 'Launch Daemon', + reference: 'https://attack.mitre.org/techniques/T1160', + tactics: 'persistence,privilege-escalation', + value: 'launchDaemon', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.launchctlDescription', + { defaultMessage: 'Launchctl (T1152)' } + ), + id: 'T1152', + name: 'Launchctl', + reference: 'https://attack.mitre.org/techniques/T1152', + tactics: 'defense-evasion,execution,persistence', + value: 'launchctl', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.localJobSchedulingDescription', + { defaultMessage: 'Local Job Scheduling (T1168)' } + ), + id: 'T1168', + name: 'Local Job Scheduling', + reference: 'https://attack.mitre.org/techniques/T1168', + tactics: 'persistence,execution', + value: 'localJobScheduling', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.loginItemDescription', + { defaultMessage: 'Login Item (T1162)' } + ), + id: 'T1162', + name: 'Login Item', + reference: 'https://attack.mitre.org/techniques/T1162', + tactics: 'persistence', + value: 'loginItem', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.maliciousShellModificationDescription', + { defaultMessage: 'Malicious Shell Modification (T1156)' } + ), + id: 'T1156', + name: 'Malicious Shell Modification', + reference: 'https://attack.mitre.org/techniques/T1156', + tactics: 'persistence', + value: 'maliciousShellModification', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.masqueradingDescription', @@ -2652,6 +4192,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'modifyCloudComputeInfrastructure', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.modifyExistingServiceDescription', + { defaultMessage: 'Modify Existing Service (T1031)' } + ), + id: 'T1031', + name: 'Modify Existing Service', + reference: 'https://attack.mitre.org/techniques/T1031', + tactics: 'persistence', + value: 'modifyExistingService', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.modifyRegistryDescription', @@ -2674,6 +4225,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'modifySystemImage', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.mshtaDescription', + { defaultMessage: 'Mshta (T1170)' } + ), + id: 'T1170', + name: 'Mshta', + reference: 'https://attack.mitre.org/techniques/T1170', + tactics: 'defense-evasion,execution', + value: 'mshta', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multiFactorAuthenticationInterceptionDescription', + { defaultMessage: 'Multi-Factor Authentication Interception (T1111)' } + ), + id: 'T1111', + name: 'Multi-Factor Authentication Interception', + reference: 'https://attack.mitre.org/techniques/T1111', + tactics: 'credential-access', + value: 'multiFactorAuthenticationInterception', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multiFactorAuthenticationRequestGenerationDescription', + { defaultMessage: 'Multi-Factor Authentication Request Generation (T1621)' } + ), + id: 'T1621', + name: 'Multi-Factor Authentication Request Generation', + reference: 'https://attack.mitre.org/techniques/T1621', + tactics: 'credential-access', + value: 'multiFactorAuthenticationRequestGeneration', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multiStageChannelsDescription', @@ -2685,6 +4269,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'multiStageChannels', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multiHopProxyDescription', + { defaultMessage: 'Multi-hop Proxy (T1188)' } + ), + id: 'T1188', + name: 'Multi-hop Proxy', + reference: 'https://attack.mitre.org/techniques/T1188', + tactics: 'command-and-control', + value: 'multiHopProxy', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multibandCommunicationDescription', @@ -2698,18 +4293,51 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.nativeApiDescription', - { defaultMessage: 'Native API (T1106)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.multilayerEncryptionDescription', + { defaultMessage: 'Multilayer Encryption (T1079)' } ), - id: 'T1106', - name: 'Native API', - reference: 'https://attack.mitre.org/techniques/T1106', - tactics: 'execution', - value: 'nativeApi', + id: 'T1079', + name: 'Multilayer Encryption', + reference: 'https://attack.mitre.org/techniques/T1079', + tactics: 'command-and-control', + value: 'multilayerEncryption', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkBoundaryBridgingDescription', + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.ntfsFileAttributesDescription', + { defaultMessage: 'NTFS File Attributes (T1096)' } + ), + id: 'T1096', + name: 'NTFS File Attributes', + reference: 'https://attack.mitre.org/techniques/T1096', + tactics: 'defense-evasion', + value: 'ntfsFileAttributes', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.nativeApiDescription', + { defaultMessage: 'Native API (T1106)' } + ), + id: 'T1106', + name: 'Native API', + reference: 'https://attack.mitre.org/techniques/T1106', + tactics: 'execution', + value: 'nativeApi', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.netshHelperDllDescription', + { defaultMessage: 'Netsh Helper DLL (T1128)' } + ), + id: 'T1128', + name: 'Netsh Helper DLL', + reference: 'https://attack.mitre.org/techniques/T1128', + tactics: 'persistence', + value: 'netshHelperDll', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkBoundaryBridgingDescription', { defaultMessage: 'Network Boundary Bridging (T1599)' } ), id: 'T1599', @@ -2731,14 +4359,25 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkServiceScanningDescription', - { defaultMessage: 'Network Service Scanning (T1046)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkServiceDiscoveryDescription', + { defaultMessage: 'Network Service Discovery (T1046)' } ), id: 'T1046', - name: 'Network Service Scanning', + name: 'Network Service Discovery', reference: 'https://attack.mitre.org/techniques/T1046', tactics: 'discovery', - value: 'networkServiceScanning', + value: 'networkServiceDiscovery', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkShareConnectionRemovalDescription', + { defaultMessage: 'Network Share Connection Removal (T1126)' } + ), + id: 'T1126', + name: 'Network Share Connection Removal', + reference: 'https://attack.mitre.org/techniques/T1126', + tactics: 'defense-evasion', + value: 'networkShareConnectionRemoval', }, { label: i18n.translate( @@ -2762,6 +4401,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'credential-access,discovery', value: 'networkSniffing', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.newServiceDescription', + { defaultMessage: 'New Service (T1050)' } + ), + id: 'T1050', + name: 'New Service', + reference: 'https://attack.mitre.org/techniques/T1050', + tactics: 'persistence,privilege-escalation', + value: 'newService', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.nonApplicationLayerProtocolDescription', @@ -2828,6 +4478,50 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence', value: 'officeApplicationStartup', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.parentPidSpoofingDescription', + { defaultMessage: 'Parent PID Spoofing (T1502)' } + ), + id: 'T1502', + name: 'Parent PID Spoofing', + reference: 'https://attack.mitre.org/techniques/T1502', + tactics: 'defense-evasion,privilege-escalation', + value: 'parentPidSpoofing', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.passTheHashDescription', + { defaultMessage: 'Pass the Hash (T1075)' } + ), + id: 'T1075', + name: 'Pass the Hash', + reference: 'https://attack.mitre.org/techniques/T1075', + tactics: 'lateral-movement', + value: 'passTheHash', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.passTheTicketDescription', + { defaultMessage: 'Pass the Ticket (T1097)' } + ), + id: 'T1097', + name: 'Pass the Ticket', + reference: 'https://attack.mitre.org/techniques/T1097', + tactics: 'lateral-movement', + value: 'passTheTicket', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.passwordFilterDllDescription', + { defaultMessage: 'Password Filter DLL (T1174)' } + ), + id: 'T1174', + name: 'Password Filter DLL', + reference: 'https://attack.mitre.org/techniques/T1174', + tactics: 'credential-access', + value: 'passwordFilterDll', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.passwordPolicyDiscoveryDescription', @@ -2894,6 +4588,61 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'reconnaissance', value: 'phishingForInformation', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.plistFileModificationDescription', + { defaultMessage: 'Plist File Modification (T1647)' } + ), + id: 'T1647', + name: 'Plist File Modification', + reference: 'https://attack.mitre.org/techniques/T1647', + tactics: 'defense-evasion', + value: 'plistFileModification', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.plistModificationDescription', + { defaultMessage: 'Plist Modification (T1150)' } + ), + id: 'T1150', + name: 'Plist Modification', + reference: 'https://attack.mitre.org/techniques/T1150', + tactics: 'defense-evasion,persistence,privilege-escalation', + value: 'plistModification', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.portMonitorsDescription', + { defaultMessage: 'Port Monitors (T1013)' } + ), + id: 'T1013', + name: 'Port Monitors', + reference: 'https://attack.mitre.org/techniques/T1013', + tactics: 'persistence,privilege-escalation', + value: 'portMonitors', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.powerShellDescription', + { defaultMessage: 'PowerShell (T1086)' } + ), + id: 'T1086', + name: 'PowerShell', + reference: 'https://attack.mitre.org/techniques/T1086', + tactics: 'execution', + value: 'powerShell', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.powerShellProfileDescription', + { defaultMessage: 'PowerShell Profile (T1504)' } + ), + id: 'T1504', + name: 'PowerShell Profile', + reference: 'https://attack.mitre.org/techniques/T1504', + tactics: 'persistence,privilege-escalation', + value: 'powerShellProfile', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.preOsBootDescription', @@ -2905,6 +4654,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion,persistence', value: 'preOsBoot', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.privateKeysDescription', + { defaultMessage: 'Private Keys (T1145)' } + ), + id: 'T1145', + name: 'Private Keys', + reference: 'https://attack.mitre.org/techniques/T1145', + tactics: 'credential-access', + value: 'privateKeys', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.processDiscoveryDescription', @@ -2916,6 +4676,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'processDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.processDoppelgangingDescription', + { defaultMessage: 'Process Doppelgänging (T1186)' } + ), + id: 'T1186', + name: 'Process Doppelgänging', + reference: 'https://attack.mitre.org/techniques/T1186', + tactics: 'defense-evasion', + value: 'processDoppelganging', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.processHollowingDescription', + { defaultMessage: 'Process Hollowing (T1093)' } + ), + id: 'T1093', + name: 'Process Hollowing', + reference: 'https://attack.mitre.org/techniques/T1093', + tactics: 'defense-evasion', + value: 'processHollowing', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.processInjectionDescription', @@ -2960,6 +4742,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'queryRegistry', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.rcCommonDescription', + { defaultMessage: 'Rc.common (T1163)' } + ), + id: 'T1163', + name: 'Rc.common', + reference: 'https://attack.mitre.org/techniques/T1163', + tactics: 'persistence', + value: 'rcCommon', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.reOpenedApplicationsDescription', + { defaultMessage: 'Re-opened Applications (T1164)' } + ), + id: 'T1164', + name: 'Re-opened Applications', + reference: 'https://attack.mitre.org/techniques/T1164', + tactics: 'persistence', + value: 'reOpenedApplications', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.redundantAccessDescription', @@ -2982,6 +4786,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'reflectiveCodeLoading', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.registryRunKeysStartupFolderDescription', + { defaultMessage: 'Registry Run Keys / Startup Folder (T1060)' } + ), + id: 'T1060', + name: 'Registry Run Keys / Startup Folder', + reference: 'https://attack.mitre.org/techniques/T1060', + tactics: 'persistence', + value: 'registryRunKeysStartupFolder', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.regsvcsRegasmDescription', + { defaultMessage: 'Regsvcs/Regasm (T1121)' } + ), + id: 'T1121', + name: 'Regsvcs/Regasm', + reference: 'https://attack.mitre.org/techniques/T1121', + tactics: 'defense-evasion,execution', + value: 'regsvcsRegasm', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.regsvr32Description', + { defaultMessage: 'Regsvr32 (T1117)' } + ), + id: 'T1117', + name: 'Regsvr32', + reference: 'https://attack.mitre.org/techniques/T1117', + tactics: 'defense-evasion,execution', + value: 'regsvr32', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.remoteAccessSoftwareDescription', @@ -2993,6 +4830,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'remoteAccessSoftware', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.remoteDesktopProtocolDescription', + { defaultMessage: 'Remote Desktop Protocol (T1076)' } + ), + id: 'T1076', + name: 'Remote Desktop Protocol', + reference: 'https://attack.mitre.org/techniques/T1076', + tactics: 'lateral-movement', + value: 'remoteDesktopProtocol', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.remoteServiceSessionHijackingDescription', @@ -3048,6 +4896,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'impact', value: 'resourceHijacking', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.revertCloudInstanceDescription', + { defaultMessage: 'Revert Cloud Instance (T1536)' } + ), + id: 'T1536', + name: 'Revert Cloud Instance', + reference: 'https://attack.mitre.org/techniques/T1536', + tactics: 'defense-evasion', + value: 'revertCloudInstance', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.rogueDomainControllerDescription', @@ -3070,6 +4929,61 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'rootkit', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.rundll32Description', + { defaultMessage: 'Rundll32 (T1085)' } + ), + id: 'T1085', + name: 'Rundll32', + reference: 'https://attack.mitre.org/techniques/T1085', + tactics: 'defense-evasion,execution', + value: 'rundll32', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.runtimeDataManipulationDescription', + { defaultMessage: 'Runtime Data Manipulation (T1494)' } + ), + id: 'T1494', + name: 'Runtime Data Manipulation', + reference: 'https://attack.mitre.org/techniques/T1494', + tactics: 'impact', + value: 'runtimeDataManipulation', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sidHistoryInjectionDescription', + { defaultMessage: 'SID-History Injection (T1178)' } + ), + id: 'T1178', + name: 'SID-History Injection', + reference: 'https://attack.mitre.org/techniques/T1178', + tactics: 'privilege-escalation', + value: 'sidHistoryInjection', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sipAndTrustProviderHijackingDescription', + { defaultMessage: 'SIP and Trust Provider Hijacking (T1198)' } + ), + id: 'T1198', + name: 'SIP and Trust Provider Hijacking', + reference: 'https://attack.mitre.org/techniques/T1198', + tactics: 'defense-evasion,persistence', + value: 'sipAndTrustProviderHijacking', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sshHijackingDescription', + { defaultMessage: 'SSH Hijacking (T1184)' } + ), + id: 'T1184', + name: 'SSH Hijacking', + reference: 'https://attack.mitre.org/techniques/T1184', + tactics: 'lateral-movement', + value: 'sshHijacking', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.scheduledTaskJobDescription', @@ -3103,6 +5017,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'collection', value: 'screenCapture', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.screensaverDescription', + { defaultMessage: 'Screensaver (T1180)' } + ), + id: 'T1180', + name: 'Screensaver', + reference: 'https://attack.mitre.org/techniques/T1180', + tactics: 'persistence', + value: 'screensaver', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.scriptingDescription', @@ -3158,6 +5083,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'reconnaissance', value: 'searchVictimOwnedWebsites', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.securitySoftwareDiscoveryDescription', + { defaultMessage: 'Security Software Discovery (T1063)' } + ), + id: 'T1063', + name: 'Security Software Discovery', + reference: 'https://attack.mitre.org/techniques/T1063', + tactics: 'discovery', + value: 'securitySoftwareDiscovery', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.securitySupportProviderDescription', + { defaultMessage: 'Security Support Provider (T1101)' } + ), + id: 'T1101', + name: 'Security Support Provider', + reference: 'https://attack.mitre.org/techniques/T1101', + tactics: 'persistence', + value: 'securitySupportProvider', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.securitydMemoryDescription', + { defaultMessage: 'Securityd Memory (T1167)' } + ), + id: 'T1167', + name: 'Securityd Memory', + reference: 'https://attack.mitre.org/techniques/T1167', + tactics: 'credential-access', + value: 'securitydMemory', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.serverSoftwareComponentDescription', @@ -3169,6 +5127,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'persistence', value: 'serverSoftwareComponent', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceExecutionDescription', + { defaultMessage: 'Service Execution (T1035)' } + ), + id: 'T1035', + name: 'Service Execution', + reference: 'https://attack.mitre.org/techniques/T1035', + tactics: 'execution', + value: 'serviceExecution', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceRegistryPermissionsWeaknessDescription', + { defaultMessage: 'Service Registry Permissions Weakness (T1058)' } + ), + id: 'T1058', + name: 'Service Registry Permissions Weakness', + reference: 'https://attack.mitre.org/techniques/T1058', + tactics: 'persistence,privilege-escalation', + value: 'serviceRegistryPermissionsWeakness', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceStopDescription', @@ -3180,6 +5160,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'impact', value: 'serviceStop', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.setuidAndSetgidDescription', + { defaultMessage: 'Setuid and Setgid (T1166)' } + ), + id: 'T1166', + name: 'Setuid and Setgid', + reference: 'https://attack.mitre.org/techniques/T1166', + tactics: 'privilege-escalation,persistence', + value: 'setuidAndSetgid', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedModulesDescription', @@ -3204,30 +5195,19 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedBinaryProxyExecutionDescription', - { defaultMessage: 'Signed Binary Proxy Execution (T1218)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.shortcutModificationDescription', + { defaultMessage: 'Shortcut Modification (T1023)' } ), - id: 'T1218', - name: 'Signed Binary Proxy Execution', - reference: 'https://attack.mitre.org/techniques/T1218', - tactics: 'defense-evasion', - value: 'signedBinaryProxyExecution', + id: 'T1023', + name: 'Shortcut Modification', + reference: 'https://attack.mitre.org/techniques/T1023', + tactics: 'persistence', + value: 'shortcutModification', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedScriptProxyExecutionDescription', - { defaultMessage: 'Signed Script Proxy Execution (T1216)' } - ), - id: 'T1216', - name: 'Signed Script Proxy Execution', - reference: 'https://attack.mitre.org/techniques/T1216', - tactics: 'defense-evasion', - value: 'signedScriptProxyExecution', - }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDeploymentToolsDescription', - { defaultMessage: 'Software Deployment Tools (T1072)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDeploymentToolsDescription', + { defaultMessage: 'Software Deployment Tools (T1072)' } ), id: 'T1072', name: 'Software Deployment Tools', @@ -3246,6 +5226,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'softwareDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwarePackingDescription', + { defaultMessage: 'Software Packing (T1045)' } + ), + id: 'T1045', + name: 'Software Packing', + reference: 'https://attack.mitre.org/techniques/T1045', + tactics: 'defense-evasion', + value: 'softwarePacking', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sourceDescription', @@ -3257,6 +5248,50 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'execution', value: 'source', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.spaceAfterFilenameDescription', + { defaultMessage: 'Space after Filename (T1151)' } + ), + id: 'T1151', + name: 'Space after Filename', + reference: 'https://attack.mitre.org/techniques/T1151', + tactics: 'defense-evasion,execution', + value: 'spaceAfterFilename', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.spearphishingAttachmentDescription', + { defaultMessage: 'Spearphishing Attachment (T1193)' } + ), + id: 'T1193', + name: 'Spearphishing Attachment', + reference: 'https://attack.mitre.org/techniques/T1193', + tactics: 'initial-access', + value: 'spearphishingAttachment', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.spearphishingLinkDescription', + { defaultMessage: 'Spearphishing Link (T1192)' } + ), + id: 'T1192', + name: 'Spearphishing Link', + reference: 'https://attack.mitre.org/techniques/T1192', + tactics: 'initial-access', + value: 'spearphishingLink', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.spearphishingViaServiceDescription', + { defaultMessage: 'Spearphishing via Service (T1194)' } + ), + id: 'T1194', + name: 'Spearphishing via Service', + reference: 'https://attack.mitre.org/techniques/T1194', + tactics: 'initial-access', + value: 'spearphishingViaService', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.stageCapabilitiesDescription', @@ -3268,6 +5303,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'resource-development', value: 'stageCapabilities', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.standardCryptographicProtocolDescription', + { defaultMessage: 'Standard Cryptographic Protocol (T1032)' } + ), + id: 'T1032', + name: 'Standard Cryptographic Protocol', + reference: 'https://attack.mitre.org/techniques/T1032', + tactics: 'command-and-control', + value: 'standardCryptographicProtocol', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.startupItemsDescription', + { defaultMessage: 'Startup Items (T1165)' } + ), + id: 'T1165', + name: 'Startup Items', + reference: 'https://attack.mitre.org/techniques/T1165', + tactics: 'persistence,privilege-escalation', + value: 'startupItems', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.stealApplicationAccessTokenDescription', @@ -3301,6 +5358,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'credential-access', value: 'stealOrForgeKerberosTickets', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.storedDataManipulationDescription', + { defaultMessage: 'Stored Data Manipulation (T1492)' } + ), + id: 'T1492', + name: 'Stored Data Manipulation', + reference: 'https://attack.mitre.org/techniques/T1492', + tactics: 'impact', + value: 'storedDataManipulation', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.subvertTrustControlsDescription', @@ -3312,6 +5380,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'subvertTrustControls', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sudoDescription', + { defaultMessage: 'Sudo (T1169)' } + ), + id: 'T1169', + name: 'Sudo', + reference: 'https://attack.mitre.org/techniques/T1169', + tactics: 'privilege-escalation', + value: 'sudo', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.sudoCachingDescription', + { defaultMessage: 'Sudo Caching (T1206)' } + ), + id: 'T1206', + name: 'Sudo Caching', + reference: 'https://attack.mitre.org/techniques/T1206', + tactics: 'privilege-escalation', + value: 'sudoCaching', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.supplyChainCompromiseDescription', @@ -3323,6 +5413,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'initial-access', value: 'supplyChainCompromise', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemBinaryProxyExecutionDescription', + { defaultMessage: 'System Binary Proxy Execution (T1218)' } + ), + id: 'T1218', + name: 'System Binary Proxy Execution', + reference: 'https://attack.mitre.org/techniques/T1218', + tactics: 'defense-evasion', + value: 'systemBinaryProxyExecution', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemFirmwareDescription', + { defaultMessage: 'System Firmware (T1019)' } + ), + id: 'T1019', + name: 'System Firmware', + reference: 'https://attack.mitre.org/techniques/T1019', + tactics: 'persistence', + value: 'systemFirmware', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemInformationDiscoveryDescription', @@ -3378,6 +5490,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'systemOwnerUserDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemScriptProxyExecutionDescription', + { defaultMessage: 'System Script Proxy Execution (T1216)' } + ), + id: 'T1216', + name: 'System Script Proxy Execution', + reference: 'https://attack.mitre.org/techniques/T1216', + tactics: 'defense-evasion', + value: 'systemScriptProxyExecution', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemServiceDiscoveryDescription', @@ -3422,6 +5545,17 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'discovery', value: 'systemTimeDiscovery', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.systemdServiceDescription', + { defaultMessage: 'Systemd Service (T1501)' } + ), + id: 'T1501', + name: 'Systemd Service', + reference: 'https://attack.mitre.org/techniques/T1501', + tactics: 'persistence', + value: 'systemdService', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.taintSharedContentDescription', @@ -3444,6 +5578,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'defense-evasion', value: 'templateInjection', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.timeProvidersDescription', + { defaultMessage: 'Time Providers (T1209)' } + ), + id: 'T1209', + name: 'Time Providers', + reference: 'https://attack.mitre.org/techniques/T1209', + tactics: 'persistence', + value: 'timeProviders', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.timestompDescription', + { defaultMessage: 'Timestomp (T1099)' } + ), + id: 'T1099', + name: 'Timestomp', + reference: 'https://attack.mitre.org/techniques/T1099', + tactics: 'defense-evasion', + value: 'timestomp', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.trafficSignalingDescription', @@ -3466,6 +5622,28 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'exfiltration', value: 'transferDataToCloudAccount', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.transmittedDataManipulationDescription', + { defaultMessage: 'Transmitted Data Manipulation (T1493)' } + ), + id: 'T1493', + name: 'Transmitted Data Manipulation', + reference: 'https://attack.mitre.org/techniques/T1493', + tactics: 'impact', + value: 'transmittedDataManipulation', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.trapDescription', + { defaultMessage: 'Trap (T1154)' } + ), + id: 'T1154', + name: 'Trap', + reference: 'https://attack.mitre.org/techniques/T1154', + tactics: 'execution,persistence', + value: 'trap', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedDeveloperUtilitiesProxyExecutionDescription', @@ -3490,14 +5668,14 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.twoFactorAuthenticationInterceptionDescription', - { defaultMessage: 'Two-Factor Authentication Interception (T1111)' } + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.uncommonlyUsedPortDescription', + { defaultMessage: 'Uncommonly Used Port (T1065)' } ), - id: 'T1111', - name: 'Two-Factor Authentication Interception', - reference: 'https://attack.mitre.org/techniques/T1111', - tactics: 'credential-access', - value: 'twoFactorAuthenticationInterception', + id: 'T1065', + name: 'Uncommonly Used Port', + reference: 'https://attack.mitre.org/techniques/T1065', + tactics: 'command-and-control', + value: 'uncommonlyUsedPort', }, { label: i18n.translate( @@ -3598,6 +5776,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'command-and-control', value: 'webService', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.webSessionCookieDescription', + { defaultMessage: 'Web Session Cookie (T1506)' } + ), + id: 'T1506', + name: 'Web Session Cookie', + reference: 'https://attack.mitre.org/techniques/T1506', + tactics: 'defense-evasion,lateral-movement', + value: 'webSessionCookie', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.webShellDescription', + { defaultMessage: 'Web Shell (T1100)' } + ), + id: 'T1100', + name: 'Web Shell', + reference: 'https://attack.mitre.org/techniques/T1100', + tactics: 'persistence,privilege-escalation', + value: 'webShell', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.windowsAdminSharesDescription', + { defaultMessage: 'Windows Admin Shares (T1077)' } + ), + id: 'T1077', + name: 'Windows Admin Shares', + reference: 'https://attack.mitre.org/techniques/T1077', + tactics: 'lateral-movement', + value: 'windowsAdminShares', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.windowsManagementInstrumentationDescription', @@ -3609,6 +5820,39 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ tactics: 'execution', value: 'windowsManagementInstrumentation', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.windowsManagementInstrumentationEventSubscriptionDescription', + { defaultMessage: 'Windows Management Instrumentation Event Subscription (T1084)' } + ), + id: 'T1084', + name: 'Windows Management Instrumentation Event Subscription', + reference: 'https://attack.mitre.org/techniques/T1084', + tactics: 'persistence', + value: 'windowsManagementInstrumentationEventSubscription', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.windowsRemoteManagementDescription', + { defaultMessage: 'Windows Remote Management (T1028)' } + ), + id: 'T1028', + name: 'Windows Remote Management', + reference: 'https://attack.mitre.org/techniques/T1028', + tactics: 'execution,lateral-movement', + value: 'windowsRemoteManagement', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.winlogonHelperDllDescription', + { defaultMessage: 'Winlogon Helper DLL (T1004)' } + ), + id: 'T1004', + name: 'Winlogon Helper DLL', + reference: 'https://attack.mitre.org/techniques/T1004', + tactics: 'persistence', + value: 'winlogonHelperDll', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackTechniques.xslScriptProcessingDescription', @@ -3622,114 +5866,2845 @@ export const techniquesOptions: MitreTechniquesOptions[] = [ }, ]; -export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ +export const subtechniques = [ { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.etcPasswdAndEtcShadowT1003Description', - { defaultMessage: '/etc/passwd and /etc/shadow (T1003.008)' } - ), - id: 'T1003.008', name: '/etc/passwd and /etc/shadow', + id: 'T1003.008', reference: 'https://attack.mitre.org/techniques/T1003/008', - tactics: 'credential-access', + tactics: ['credential-access'], techniqueId: 'T1003', - value: 'etcPasswdAndEtcShadow', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.arpCachePoisoningT1557Description', - { defaultMessage: 'ARP Cache Poisoning (T1557.002)' } - ), - id: 'T1557.002', name: 'ARP Cache Poisoning', + id: 'T1557.002', reference: 'https://attack.mitre.org/techniques/T1557/002', - tactics: 'credential-access,collection', + tactics: ['credential-access', 'collection'], techniqueId: 'T1557', - value: 'arpCachePoisoning', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asRepRoastingT1558Description', - { defaultMessage: 'AS-REP Roasting (T1558.004)' } - ), - id: 'T1558.004', name: 'AS-REP Roasting', + id: 'T1558.004', reference: 'https://attack.mitre.org/techniques/T1558/004', - tactics: 'credential-access', + tactics: ['credential-access'], techniqueId: 'T1558', - value: 'asRepRoasting', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.accessibilityFeaturesT1546Description', - { defaultMessage: 'Accessibility Features (T1546.008)' } - ), - id: 'T1546.008', name: 'Accessibility Features', + id: 'T1546.008', reference: 'https://attack.mitre.org/techniques/T1546/008', - tactics: 'privilege-escalation,persistence', + tactics: ['privilege-escalation', 'persistence'], techniqueId: 'T1546', - value: 'accessibilityFeatures', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.activeSetupT1547Description', - { defaultMessage: 'Active Setup (T1547.014)' } - ), - id: 'T1547.014', name: 'Active Setup', + id: 'T1547.014', reference: 'https://attack.mitre.org/techniques/T1547/014', - tactics: 'persistence,privilege-escalation', + tactics: ['persistence', 'privilege-escalation'], techniqueId: 'T1547', - value: 'activeSetup', - }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addOffice365GlobalAdministratorRoleT1098Description', - { defaultMessage: 'Add Office 365 Global Administrator Role (T1098.003)' } - ), - id: 'T1098.003', - name: 'Add Office 365 Global Administrator Role', - reference: 'https://attack.mitre.org/techniques/T1098/003', - tactics: 'persistence', - techniqueId: 'T1098', - value: 'addOffice365GlobalAdministratorRole', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addInsT1137Description', - { defaultMessage: 'Add-ins (T1137.006)' } - ), - id: 'T1137.006', name: 'Add-ins', + id: 'T1137.006', reference: 'https://attack.mitre.org/techniques/T1137/006', - tactics: 'persistence', + tactics: ['persistence'], techniqueId: 'T1137', - value: 'addIns', }, { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description', - { defaultMessage: 'Additional Cloud Credentials (T1098.001)' } - ), - id: 'T1098.001', name: 'Additional Cloud Credentials', + id: 'T1098.001', reference: 'https://attack.mitre.org/techniques/T1098/001', - tactics: 'persistence', + tactics: ['persistence'], techniqueId: 'T1098', - value: 'additionalCloudCredentials', - }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description', - { defaultMessage: 'AppCert DLLs (T1546.009)' } - ), - id: 'T1546.009', - name: 'AppCert DLLs', - reference: 'https://attack.mitre.org/techniques/T1546/009', - tactics: 'privilege-escalation,persistence', - techniqueId: 'T1546', - value: 'appCertDlLs', + }, + { + name: 'Additional Cloud Roles', + id: 'T1098.003', + reference: 'https://attack.mitre.org/techniques/T1098/003', + tactics: ['persistence'], + techniqueId: 'T1098', + }, + { + name: 'Additional Email Delegate Permissions', + id: 'T1098.002', + reference: 'https://attack.mitre.org/techniques/T1098/002', + tactics: ['persistence'], + techniqueId: 'T1098', + }, + { + name: 'AppCert DLLs', + id: 'T1546.009', + reference: 'https://attack.mitre.org/techniques/T1546/009', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'AppInit DLLs', + id: 'T1546.010', + reference: 'https://attack.mitre.org/techniques/T1546/010', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'AppleScript', + id: 'T1059.002', + reference: 'https://attack.mitre.org/techniques/T1059/002', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Application Access Token', + id: 'T1550.001', + reference: 'https://attack.mitre.org/techniques/T1550/001', + tactics: ['defense-evasion', 'lateral-movement'], + techniqueId: 'T1550', + }, + { + name: 'Application Exhaustion Flood', + id: 'T1499.003', + reference: 'https://attack.mitre.org/techniques/T1499/003', + tactics: ['impact'], + techniqueId: 'T1499', + }, + { + name: 'Application Shimming', + id: 'T1546.011', + reference: 'https://attack.mitre.org/techniques/T1546/011', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Application or System Exploitation', + id: 'T1499.004', + reference: 'https://attack.mitre.org/techniques/T1499/004', + tactics: ['impact'], + techniqueId: 'T1499', + }, + { + name: 'Archive via Custom Method', + id: 'T1560.003', + reference: 'https://attack.mitre.org/techniques/T1560/003', + tactics: ['collection'], + techniqueId: 'T1560', + }, + { + name: 'Archive via Library', + id: 'T1560.002', + reference: 'https://attack.mitre.org/techniques/T1560/002', + tactics: ['collection'], + techniqueId: 'T1560', + }, + { + name: 'Archive via Utility', + id: 'T1560.001', + reference: 'https://attack.mitre.org/techniques/T1560/001', + tactics: ['collection'], + techniqueId: 'T1560', + }, + { + name: 'Asymmetric Cryptography', + id: 'T1573.002', + reference: 'https://attack.mitre.org/techniques/T1573/002', + tactics: ['command-and-control'], + techniqueId: 'T1573', + }, + { + name: 'Asynchronous Procedure Call', + id: 'T1055.004', + reference: 'https://attack.mitre.org/techniques/T1055/004', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'At', + id: 'T1053.002', + reference: 'https://attack.mitre.org/techniques/T1053/002', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'At (Linux)', + id: 'T1053.001', + reference: 'https://attack.mitre.org/techniques/T1053/001', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'Authentication Package', + id: 'T1547.002', + reference: 'https://attack.mitre.org/techniques/T1547/002', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Bash History', + id: 'T1552.003', + reference: 'https://attack.mitre.org/techniques/T1552/003', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Bidirectional Communication', + id: 'T1102.002', + reference: 'https://attack.mitre.org/techniques/T1102/002', + tactics: ['command-and-control'], + techniqueId: 'T1102', + }, + { + name: 'Binary Padding', + id: 'T1027.001', + reference: 'https://attack.mitre.org/techniques/T1027/001', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Bootkit', + id: 'T1542.003', + reference: 'https://attack.mitre.org/techniques/T1542/003', + tactics: ['persistence', 'defense-evasion'], + techniqueId: 'T1542', + }, + { + name: 'Botnet', + id: 'T1583.005', + reference: 'https://attack.mitre.org/techniques/T1583/005', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'Botnet', + id: 'T1584.005', + reference: 'https://attack.mitre.org/techniques/T1584/005', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'Business Relationships', + id: 'T1591.002', + reference: 'https://attack.mitre.org/techniques/T1591/002', + tactics: ['reconnaissance'], + techniqueId: 'T1591', + }, + { + name: 'Bypass User Account Control', + id: 'T1548.002', + reference: 'https://attack.mitre.org/techniques/T1548/002', + tactics: ['privilege-escalation', 'defense-evasion'], + techniqueId: 'T1548', + }, + { + name: 'CDNs', + id: 'T1596.004', + reference: 'https://attack.mitre.org/techniques/T1596/004', + tactics: ['reconnaissance'], + techniqueId: 'T1596', + }, + { + name: 'CMSTP', + id: 'T1218.003', + reference: 'https://attack.mitre.org/techniques/T1218/003', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'COR_PROFILER', + id: 'T1574.012', + reference: 'https://attack.mitre.org/techniques/T1574/012', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Cached Domain Credentials', + id: 'T1003.005', + reference: 'https://attack.mitre.org/techniques/T1003/005', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'Change Default File Association', + id: 'T1546.001', + reference: 'https://attack.mitre.org/techniques/T1546/001', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Clear Command History', + id: 'T1070.003', + reference: 'https://attack.mitre.org/techniques/T1070/003', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'Clear Linux or Mac System Logs', + id: 'T1070.002', + reference: 'https://attack.mitre.org/techniques/T1070/002', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'Clear Windows Event Logs', + id: 'T1070.001', + reference: 'https://attack.mitre.org/techniques/T1070/001', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'Client Configurations', + id: 'T1592.004', + reference: 'https://attack.mitre.org/techniques/T1592/004', + tactics: ['reconnaissance'], + techniqueId: 'T1592', + }, + { + name: 'Cloud Account', + id: 'T1087.004', + reference: 'https://attack.mitre.org/techniques/T1087/004', + tactics: ['discovery'], + techniqueId: 'T1087', + }, + { + name: 'Cloud Account', + id: 'T1136.003', + reference: 'https://attack.mitre.org/techniques/T1136/003', + tactics: ['persistence'], + techniqueId: 'T1136', + }, + { + name: 'Cloud Accounts', + id: 'T1078.004', + reference: 'https://attack.mitre.org/techniques/T1078/004', + tactics: ['defense-evasion', 'persistence', 'privilege-escalation', 'initial-access'], + techniqueId: 'T1078', + }, + { + name: 'Cloud Groups', + id: 'T1069.003', + reference: 'https://attack.mitre.org/techniques/T1069/003', + tactics: ['discovery'], + techniqueId: 'T1069', + }, + { + name: 'Cloud Instance Metadata API', + id: 'T1552.005', + reference: 'https://attack.mitre.org/techniques/T1552/005', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Code Repositories', + id: 'T1213.003', + reference: 'https://attack.mitre.org/techniques/T1213/003', + tactics: ['collection'], + techniqueId: 'T1213', + }, + { + name: 'Code Signing', + id: 'T1553.002', + reference: 'https://attack.mitre.org/techniques/T1553/002', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'Code Signing Certificates', + id: 'T1587.002', + reference: 'https://attack.mitre.org/techniques/T1587/002', + tactics: ['resource-development'], + techniqueId: 'T1587', + }, + { + name: 'Code Signing Certificates', + id: 'T1588.003', + reference: 'https://attack.mitre.org/techniques/T1588/003', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'Code Signing Policy Modification', + id: 'T1553.006', + reference: 'https://attack.mitre.org/techniques/T1553/006', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'Compile After Delivery', + id: 'T1027.004', + reference: 'https://attack.mitre.org/techniques/T1027/004', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Compiled HTML File', + id: 'T1218.001', + reference: 'https://attack.mitre.org/techniques/T1218/001', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Component Firmware', + id: 'T1542.002', + reference: 'https://attack.mitre.org/techniques/T1542/002', + tactics: ['persistence', 'defense-evasion'], + techniqueId: 'T1542', + }, + { + name: 'Component Object Model', + id: 'T1559.001', + reference: 'https://attack.mitre.org/techniques/T1559/001', + tactics: ['execution'], + techniqueId: 'T1559', + }, + { + name: 'Component Object Model Hijacking', + id: 'T1546.015', + reference: 'https://attack.mitre.org/techniques/T1546/015', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Compromise Hardware Supply Chain', + id: 'T1195.003', + reference: 'https://attack.mitre.org/techniques/T1195/003', + tactics: ['initial-access'], + techniqueId: 'T1195', + }, + { + name: 'Compromise Software Dependencies and Development Tools', + id: 'T1195.001', + reference: 'https://attack.mitre.org/techniques/T1195/001', + tactics: ['initial-access'], + techniqueId: 'T1195', + }, + { + name: 'Compromise Software Supply Chain', + id: 'T1195.002', + reference: 'https://attack.mitre.org/techniques/T1195/002', + tactics: ['initial-access'], + techniqueId: 'T1195', + }, + { + name: 'Confluence', + id: 'T1213.001', + reference: 'https://attack.mitre.org/techniques/T1213/001', + tactics: ['collection'], + techniqueId: 'T1213', + }, + { + name: 'Container API', + id: 'T1552.007', + reference: 'https://attack.mitre.org/techniques/T1552/007', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Container Orchestration Job', + id: 'T1053.007', + reference: 'https://attack.mitre.org/techniques/T1053/007', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'Control Panel', + id: 'T1218.002', + reference: 'https://attack.mitre.org/techniques/T1218/002', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Create Cloud Instance', + id: 'T1578.002', + reference: 'https://attack.mitre.org/techniques/T1578/002', + tactics: ['defense-evasion'], + techniqueId: 'T1578', + }, + { + name: 'Create Process with Token', + id: 'T1134.002', + reference: 'https://attack.mitre.org/techniques/T1134/002', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1134', + }, + { + name: 'Create Snapshot', + id: 'T1578.001', + reference: 'https://attack.mitre.org/techniques/T1578/001', + tactics: ['defense-evasion'], + techniqueId: 'T1578', + }, + { + name: 'Credential API Hooking', + id: 'T1056.004', + reference: 'https://attack.mitre.org/techniques/T1056/004', + tactics: ['collection', 'credential-access'], + techniqueId: 'T1056', + }, + { + name: 'Credential Stuffing', + id: 'T1110.004', + reference: 'https://attack.mitre.org/techniques/T1110/004', + tactics: ['credential-access'], + techniqueId: 'T1110', + }, + { + name: 'Credentials', + id: 'T1589.001', + reference: 'https://attack.mitre.org/techniques/T1589/001', + tactics: ['reconnaissance'], + techniqueId: 'T1589', + }, + { + name: 'Credentials In Files', + id: 'T1552.001', + reference: 'https://attack.mitre.org/techniques/T1552/001', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Credentials from Web Browsers', + id: 'T1555.003', + reference: 'https://attack.mitre.org/techniques/T1555/003', + tactics: ['credential-access'], + techniqueId: 'T1555', + }, + { + name: 'Credentials in Registry', + id: 'T1552.002', + reference: 'https://attack.mitre.org/techniques/T1552/002', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Cron', + id: 'T1053.003', + reference: 'https://attack.mitre.org/techniques/T1053/003', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'DCSync', + id: 'T1003.006', + reference: 'https://attack.mitre.org/techniques/T1003/006', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'DHCP Spoofing', + id: 'T1557.003', + reference: 'https://attack.mitre.org/techniques/T1557/003', + tactics: ['credential-access', 'collection'], + techniqueId: 'T1557', + }, + { + name: 'DLL Search Order Hijacking', + id: 'T1574.001', + reference: 'https://attack.mitre.org/techniques/T1574/001', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'DLL Side-Loading', + id: 'T1574.002', + reference: 'https://attack.mitre.org/techniques/T1574/002', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'DNS', + id: 'T1590.002', + reference: 'https://attack.mitre.org/techniques/T1590/002', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'DNS', + id: 'T1071.004', + reference: 'https://attack.mitre.org/techniques/T1071/004', + tactics: ['command-and-control'], + techniqueId: 'T1071', + }, + { + name: 'DNS Calculation', + id: 'T1568.003', + reference: 'https://attack.mitre.org/techniques/T1568/003', + tactics: ['command-and-control'], + techniqueId: 'T1568', + }, + { + name: 'DNS Server', + id: 'T1583.002', + reference: 'https://attack.mitre.org/techniques/T1583/002', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'DNS Server', + id: 'T1584.002', + reference: 'https://attack.mitre.org/techniques/T1584/002', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'DNS/Passive DNS', + id: 'T1596.001', + reference: 'https://attack.mitre.org/techniques/T1596/001', + tactics: ['reconnaissance'], + techniqueId: 'T1596', + }, + { + name: 'Dead Drop Resolver', + id: 'T1102.001', + reference: 'https://attack.mitre.org/techniques/T1102/001', + tactics: ['command-and-control'], + techniqueId: 'T1102', + }, + { + name: 'Default Accounts', + id: 'T1078.001', + reference: 'https://attack.mitre.org/techniques/T1078/001', + tactics: ['defense-evasion', 'persistence', 'privilege-escalation', 'initial-access'], + techniqueId: 'T1078', + }, + { + name: 'Delete Cloud Instance', + id: 'T1578.003', + reference: 'https://attack.mitre.org/techniques/T1578/003', + tactics: ['defense-evasion'], + techniqueId: 'T1578', + }, + { + name: 'Determine Physical Locations', + id: 'T1591.001', + reference: 'https://attack.mitre.org/techniques/T1591/001', + tactics: ['reconnaissance'], + techniqueId: 'T1591', + }, + { + name: 'Device Registration', + id: 'T1098.005', + reference: 'https://attack.mitre.org/techniques/T1098/005', + tactics: ['persistence'], + techniqueId: 'T1098', + }, + { + name: 'Digital Certificates', + id: 'T1596.003', + reference: 'https://attack.mitre.org/techniques/T1596/003', + tactics: ['reconnaissance'], + techniqueId: 'T1596', + }, + { + name: 'Digital Certificates', + id: 'T1588.004', + reference: 'https://attack.mitre.org/techniques/T1588/004', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'Digital Certificates', + id: 'T1587.003', + reference: 'https://attack.mitre.org/techniques/T1587/003', + tactics: ['resource-development'], + techniqueId: 'T1587', + }, + { + name: 'Direct Network Flood', + id: 'T1498.001', + reference: 'https://attack.mitre.org/techniques/T1498/001', + tactics: ['impact'], + techniqueId: 'T1498', + }, + { + name: 'Disable Cloud Logs', + id: 'T1562.008', + reference: 'https://attack.mitre.org/techniques/T1562/008', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Disable Crypto Hardware', + id: 'T1600.002', + reference: 'https://attack.mitre.org/techniques/T1600/002', + tactics: ['defense-evasion'], + techniqueId: 'T1600', + }, + { + name: 'Disable Windows Event Logging', + id: 'T1562.002', + reference: 'https://attack.mitre.org/techniques/T1562/002', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Disable or Modify Cloud Firewall', + id: 'T1562.007', + reference: 'https://attack.mitre.org/techniques/T1562/007', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Disable or Modify System Firewall', + id: 'T1562.004', + reference: 'https://attack.mitre.org/techniques/T1562/004', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Disable or Modify Tools', + id: 'T1562.001', + reference: 'https://attack.mitre.org/techniques/T1562/001', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Disk Content Wipe', + id: 'T1561.001', + reference: 'https://attack.mitre.org/techniques/T1561/001', + tactics: ['impact'], + techniqueId: 'T1561', + }, + { + name: 'Disk Structure Wipe', + id: 'T1561.002', + reference: 'https://attack.mitre.org/techniques/T1561/002', + tactics: ['impact'], + techniqueId: 'T1561', + }, + { + name: 'Distributed Component Object Model', + id: 'T1021.003', + reference: 'https://attack.mitre.org/techniques/T1021/003', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'Domain Account', + id: 'T1087.002', + reference: 'https://attack.mitre.org/techniques/T1087/002', + tactics: ['discovery'], + techniqueId: 'T1087', + }, + { + name: 'Domain Account', + id: 'T1136.002', + reference: 'https://attack.mitre.org/techniques/T1136/002', + tactics: ['persistence'], + techniqueId: 'T1136', + }, + { + name: 'Domain Accounts', + id: 'T1078.002', + reference: 'https://attack.mitre.org/techniques/T1078/002', + tactics: ['defense-evasion', 'persistence', 'privilege-escalation', 'initial-access'], + techniqueId: 'T1078', + }, + { + name: 'Domain Controller Authentication', + id: 'T1556.001', + reference: 'https://attack.mitre.org/techniques/T1556/001', + tactics: ['credential-access', 'defense-evasion', 'persistence'], + techniqueId: 'T1556', + }, + { + name: 'Domain Fronting', + id: 'T1090.004', + reference: 'https://attack.mitre.org/techniques/T1090/004', + tactics: ['command-and-control'], + techniqueId: 'T1090', + }, + { + name: 'Domain Generation Algorithms', + id: 'T1568.002', + reference: 'https://attack.mitre.org/techniques/T1568/002', + tactics: ['command-and-control'], + techniqueId: 'T1568', + }, + { + name: 'Domain Groups', + id: 'T1069.002', + reference: 'https://attack.mitre.org/techniques/T1069/002', + tactics: ['discovery'], + techniqueId: 'T1069', + }, + { + name: 'Domain Properties', + id: 'T1590.001', + reference: 'https://attack.mitre.org/techniques/T1590/001', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'Domain Trust Modification', + id: 'T1484.002', + reference: 'https://attack.mitre.org/techniques/T1484/002', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1484', + }, + { + name: 'Domains', + id: 'T1583.001', + reference: 'https://attack.mitre.org/techniques/T1583/001', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'Domains', + id: 'T1584.001', + reference: 'https://attack.mitre.org/techniques/T1584/001', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'Double File Extension', + id: 'T1036.007', + reference: 'https://attack.mitre.org/techniques/T1036/007', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Downgrade Attack', + id: 'T1562.010', + reference: 'https://attack.mitre.org/techniques/T1562/010', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Downgrade System Image', + id: 'T1601.002', + reference: 'https://attack.mitre.org/techniques/T1601/002', + tactics: ['defense-evasion'], + techniqueId: 'T1601', + }, + { + name: 'Drive-by Target', + id: 'T1608.004', + reference: 'https://attack.mitre.org/techniques/T1608/004', + tactics: ['resource-development'], + techniqueId: 'T1608', + }, + { + name: 'Dylib Hijacking', + id: 'T1574.004', + reference: 'https://attack.mitre.org/techniques/T1574/004', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Dynamic Data Exchange', + id: 'T1559.002', + reference: 'https://attack.mitre.org/techniques/T1559/002', + tactics: ['execution'], + techniqueId: 'T1559', + }, + { + name: 'Dynamic Linker Hijacking', + id: 'T1574.006', + reference: 'https://attack.mitre.org/techniques/T1574/006', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Dynamic-link Library Injection', + id: 'T1055.001', + reference: 'https://attack.mitre.org/techniques/T1055/001', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Elevated Execution with Prompt', + id: 'T1548.004', + reference: 'https://attack.mitre.org/techniques/T1548/004', + tactics: ['privilege-escalation', 'defense-evasion'], + techniqueId: 'T1548', + }, + { + name: 'Email Account', + id: 'T1087.003', + reference: 'https://attack.mitre.org/techniques/T1087/003', + tactics: ['discovery'], + techniqueId: 'T1087', + }, + { + name: 'Email Accounts', + id: 'T1586.002', + reference: 'https://attack.mitre.org/techniques/T1586/002', + tactics: ['resource-development'], + techniqueId: 'T1586', + }, + { + name: 'Email Accounts', + id: 'T1585.002', + reference: 'https://attack.mitre.org/techniques/T1585/002', + tactics: ['resource-development'], + techniqueId: 'T1585', + }, + { + name: 'Email Addresses', + id: 'T1589.002', + reference: 'https://attack.mitre.org/techniques/T1589/002', + tactics: ['reconnaissance'], + techniqueId: 'T1589', + }, + { + name: 'Email Forwarding Rule', + id: 'T1114.003', + reference: 'https://attack.mitre.org/techniques/T1114/003', + tactics: ['collection'], + techniqueId: 'T1114', + }, + { + name: 'Email Hiding Rules', + id: 'T1564.008', + reference: 'https://attack.mitre.org/techniques/T1564/008', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Emond', + id: 'T1546.014', + reference: 'https://attack.mitre.org/techniques/T1546/014', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Employee Names', + id: 'T1589.003', + reference: 'https://attack.mitre.org/techniques/T1589/003', + tactics: ['reconnaissance'], + techniqueId: 'T1589', + }, + { + name: 'Environmental Keying', + id: 'T1480.001', + reference: 'https://attack.mitre.org/techniques/T1480/001', + tactics: ['defense-evasion'], + techniqueId: 'T1480', + }, + { + name: 'Executable Installer File Permissions Weakness', + id: 'T1574.005', + reference: 'https://attack.mitre.org/techniques/T1574/005', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Exfiltration Over Asymmetric Encrypted Non-C2 Protocol', + id: 'T1048.002', + reference: 'https://attack.mitre.org/techniques/T1048/002', + tactics: ['exfiltration'], + techniqueId: 'T1048', + }, + { + name: 'Exfiltration Over Bluetooth', + id: 'T1011.001', + reference: 'https://attack.mitre.org/techniques/T1011/001', + tactics: ['exfiltration'], + techniqueId: 'T1011', + }, + { + name: 'Exfiltration Over Symmetric Encrypted Non-C2 Protocol', + id: 'T1048.001', + reference: 'https://attack.mitre.org/techniques/T1048/001', + tactics: ['exfiltration'], + techniqueId: 'T1048', + }, + { + name: 'Exfiltration Over Unencrypted Non-C2 Protocol', + id: 'T1048.003', + reference: 'https://attack.mitre.org/techniques/T1048/003', + tactics: ['exfiltration'], + techniqueId: 'T1048', + }, + { + name: 'Exfiltration over USB', + id: 'T1052.001', + reference: 'https://attack.mitre.org/techniques/T1052/001', + tactics: ['exfiltration'], + techniqueId: 'T1052', + }, + { + name: 'Exfiltration to Cloud Storage', + id: 'T1567.002', + reference: 'https://attack.mitre.org/techniques/T1567/002', + tactics: ['exfiltration'], + techniqueId: 'T1567', + }, + { + name: 'Exfiltration to Code Repository', + id: 'T1567.001', + reference: 'https://attack.mitre.org/techniques/T1567/001', + tactics: ['exfiltration'], + techniqueId: 'T1567', + }, + { + name: 'Exploits', + id: 'T1587.004', + reference: 'https://attack.mitre.org/techniques/T1587/004', + tactics: ['resource-development'], + techniqueId: 'T1587', + }, + { + name: 'Exploits', + id: 'T1588.005', + reference: 'https://attack.mitre.org/techniques/T1588/005', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'External Defacement', + id: 'T1491.002', + reference: 'https://attack.mitre.org/techniques/T1491/002', + tactics: ['impact'], + techniqueId: 'T1491', + }, + { + name: 'External Proxy', + id: 'T1090.002', + reference: 'https://attack.mitre.org/techniques/T1090/002', + tactics: ['command-and-control'], + techniqueId: 'T1090', + }, + { + name: 'Extra Window Memory Injection', + id: 'T1055.011', + reference: 'https://attack.mitre.org/techniques/T1055/011', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Fast Flux DNS', + id: 'T1568.001', + reference: 'https://attack.mitre.org/techniques/T1568/001', + tactics: ['command-and-control'], + techniqueId: 'T1568', + }, + { + name: 'File Deletion', + id: 'T1070.004', + reference: 'https://attack.mitre.org/techniques/T1070/004', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'File Transfer Protocols', + id: 'T1071.002', + reference: 'https://attack.mitre.org/techniques/T1071/002', + tactics: ['command-and-control'], + techniqueId: 'T1071', + }, + { + name: 'Firmware', + id: 'T1592.003', + reference: 'https://attack.mitre.org/techniques/T1592/003', + tactics: ['reconnaissance'], + techniqueId: 'T1592', + }, + { + name: 'GUI Input Capture', + id: 'T1056.002', + reference: 'https://attack.mitre.org/techniques/T1056/002', + tactics: ['collection', 'credential-access'], + techniqueId: 'T1056', + }, + { + name: 'Gatekeeper Bypass', + id: 'T1553.001', + reference: 'https://attack.mitre.org/techniques/T1553/001', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'Golden Ticket', + id: 'T1558.001', + reference: 'https://attack.mitre.org/techniques/T1558/001', + tactics: ['credential-access'], + techniqueId: 'T1558', + }, + { + name: 'Group Policy Modification', + id: 'T1484.001', + reference: 'https://attack.mitre.org/techniques/T1484/001', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1484', + }, + { + name: 'Group Policy Preferences', + id: 'T1552.006', + reference: 'https://attack.mitre.org/techniques/T1552/006', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'HTML Smuggling', + id: 'T1027.006', + reference: 'https://attack.mitre.org/techniques/T1027/006', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Hardware', + id: 'T1592.001', + reference: 'https://attack.mitre.org/techniques/T1592/001', + tactics: ['reconnaissance'], + techniqueId: 'T1592', + }, + { + name: 'Hidden File System', + id: 'T1564.005', + reference: 'https://attack.mitre.org/techniques/T1564/005', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Hidden Files and Directories', + id: 'T1564.001', + reference: 'https://attack.mitre.org/techniques/T1564/001', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Hidden Users', + id: 'T1564.002', + reference: 'https://attack.mitre.org/techniques/T1564/002', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Hidden Window', + id: 'T1564.003', + reference: 'https://attack.mitre.org/techniques/T1564/003', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'IIS Components', + id: 'T1505.004', + reference: 'https://attack.mitre.org/techniques/T1505/004', + tactics: ['persistence'], + techniqueId: 'T1505', + }, + { + name: 'IP Addresses', + id: 'T1590.005', + reference: 'https://attack.mitre.org/techniques/T1590/005', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'Identify Business Tempo', + id: 'T1591.003', + reference: 'https://attack.mitre.org/techniques/T1591/003', + tactics: ['reconnaissance'], + techniqueId: 'T1591', + }, + { + name: 'Identify Roles', + id: 'T1591.004', + reference: 'https://attack.mitre.org/techniques/T1591/004', + tactics: ['reconnaissance'], + techniqueId: 'T1591', + }, + { + name: 'Image File Execution Options Injection', + id: 'T1546.012', + reference: 'https://attack.mitre.org/techniques/T1546/012', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Impair Command History Logging', + id: 'T1562.003', + reference: 'https://attack.mitre.org/techniques/T1562/003', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Indicator Blocking', + id: 'T1562.006', + reference: 'https://attack.mitre.org/techniques/T1562/006', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Indicator Removal from Tools', + id: 'T1027.005', + reference: 'https://attack.mitre.org/techniques/T1027/005', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Install Digital Certificate', + id: 'T1608.003', + reference: 'https://attack.mitre.org/techniques/T1608/003', + tactics: ['resource-development'], + techniqueId: 'T1608', + }, + { + name: 'Install Root Certificate', + id: 'T1553.004', + reference: 'https://attack.mitre.org/techniques/T1553/004', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'InstallUtil', + id: 'T1218.004', + reference: 'https://attack.mitre.org/techniques/T1218/004', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Internal Defacement', + id: 'T1491.001', + reference: 'https://attack.mitre.org/techniques/T1491/001', + tactics: ['impact'], + techniqueId: 'T1491', + }, + { + name: 'Internal Proxy', + id: 'T1090.001', + reference: 'https://attack.mitre.org/techniques/T1090/001', + tactics: ['command-and-control'], + techniqueId: 'T1090', + }, + { + name: 'Internet Connection Discovery', + id: 'T1016.001', + reference: 'https://attack.mitre.org/techniques/T1016/001', + tactics: ['discovery'], + techniqueId: 'T1016', + }, + { + name: 'Invalid Code Signature', + id: 'T1036.001', + reference: 'https://attack.mitre.org/techniques/T1036/001', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'JavaScript', + id: 'T1059.007', + reference: 'https://attack.mitre.org/techniques/T1059/007', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Junk Data', + id: 'T1001.001', + reference: 'https://attack.mitre.org/techniques/T1001/001', + tactics: ['command-and-control'], + techniqueId: 'T1001', + }, + { + name: 'Kerberoasting', + id: 'T1558.003', + reference: 'https://attack.mitre.org/techniques/T1558/003', + tactics: ['credential-access'], + techniqueId: 'T1558', + }, + { + name: 'Kernel Modules and Extensions', + id: 'T1547.006', + reference: 'https://attack.mitre.org/techniques/T1547/006', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'KernelCallbackTable', + id: 'T1574.013', + reference: 'https://attack.mitre.org/techniques/T1574/013', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Keychain', + id: 'T1555.001', + reference: 'https://attack.mitre.org/techniques/T1555/001', + tactics: ['credential-access'], + techniqueId: 'T1555', + }, + { + name: 'Keylogging', + id: 'T1056.001', + reference: 'https://attack.mitre.org/techniques/T1056/001', + tactics: ['collection', 'credential-access'], + techniqueId: 'T1056', + }, + { + name: 'LC_LOAD_DYLIB Addition', + id: 'T1546.006', + reference: 'https://attack.mitre.org/techniques/T1546/006', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'LLMNR/NBT-NS Poisoning and SMB Relay', + id: 'T1557.001', + reference: 'https://attack.mitre.org/techniques/T1557/001', + tactics: ['credential-access', 'collection'], + techniqueId: 'T1557', + }, + { + name: 'LSA Secrets', + id: 'T1003.004', + reference: 'https://attack.mitre.org/techniques/T1003/004', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'LSASS Driver', + id: 'T1547.008', + reference: 'https://attack.mitre.org/techniques/T1547/008', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'LSASS Memory', + id: 'T1003.001', + reference: 'https://attack.mitre.org/techniques/T1003/001', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'Launch Agent', + id: 'T1543.001', + reference: 'https://attack.mitre.org/techniques/T1543/001', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1543', + }, + { + name: 'Launch Daemon', + id: 'T1543.004', + reference: 'https://attack.mitre.org/techniques/T1543/004', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1543', + }, + { + name: 'Launchctl', + id: 'T1569.001', + reference: 'https://attack.mitre.org/techniques/T1569/001', + tactics: ['execution'], + techniqueId: 'T1569', + }, + { + name: 'Launchd', + id: 'T1053.004', + reference: 'https://attack.mitre.org/techniques/T1053/004', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'Link Target', + id: 'T1608.005', + reference: 'https://attack.mitre.org/techniques/T1608/005', + tactics: ['resource-development'], + techniqueId: 'T1608', + }, + { + name: 'Linux and Mac File and Directory Permissions Modification', + id: 'T1222.002', + reference: 'https://attack.mitre.org/techniques/T1222/002', + tactics: ['defense-evasion'], + techniqueId: 'T1222', + }, + { + name: 'ListPlanting', + id: 'T1055.015', + reference: 'https://attack.mitre.org/techniques/T1055/015', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Local Account', + id: 'T1087.001', + reference: 'https://attack.mitre.org/techniques/T1087/001', + tactics: ['discovery'], + techniqueId: 'T1087', + }, + { + name: 'Local Account', + id: 'T1136.001', + reference: 'https://attack.mitre.org/techniques/T1136/001', + tactics: ['persistence'], + techniqueId: 'T1136', + }, + { + name: 'Local Accounts', + id: 'T1078.003', + reference: 'https://attack.mitre.org/techniques/T1078/003', + tactics: ['defense-evasion', 'persistence', 'privilege-escalation', 'initial-access'], + techniqueId: 'T1078', + }, + { + name: 'Local Data Staging', + id: 'T1074.001', + reference: 'https://attack.mitre.org/techniques/T1074/001', + tactics: ['collection'], + techniqueId: 'T1074', + }, + { + name: 'Local Email Collection', + id: 'T1114.001', + reference: 'https://attack.mitre.org/techniques/T1114/001', + tactics: ['collection'], + techniqueId: 'T1114', + }, + { + name: 'Local Groups', + id: 'T1069.001', + reference: 'https://attack.mitre.org/techniques/T1069/001', + tactics: ['discovery'], + techniqueId: 'T1069', + }, + { + name: 'Login Hook', + id: 'T1037.002', + reference: 'https://attack.mitre.org/techniques/T1037/002', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1037', + }, + { + name: 'Login Items', + id: 'T1547.015', + reference: 'https://attack.mitre.org/techniques/T1547/015', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Logon Script (Windows)', + id: 'T1037.001', + reference: 'https://attack.mitre.org/techniques/T1037/001', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1037', + }, + { + name: 'MMC', + id: 'T1218.014', + reference: 'https://attack.mitre.org/techniques/T1218/014', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'MSBuild', + id: 'T1127.001', + reference: 'https://attack.mitre.org/techniques/T1127/001', + tactics: ['defense-evasion'], + techniqueId: 'T1127', + }, + { + name: 'Mail Protocols', + id: 'T1071.003', + reference: 'https://attack.mitre.org/techniques/T1071/003', + tactics: ['command-and-control'], + techniqueId: 'T1071', + }, + { + name: 'Make and Impersonate Token', + id: 'T1134.003', + reference: 'https://attack.mitre.org/techniques/T1134/003', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1134', + }, + { + name: 'Malicious File', + id: 'T1204.002', + reference: 'https://attack.mitre.org/techniques/T1204/002', + tactics: ['execution'], + techniqueId: 'T1204', + }, + { + name: 'Malicious Image', + id: 'T1204.003', + reference: 'https://attack.mitre.org/techniques/T1204/003', + tactics: ['execution'], + techniqueId: 'T1204', + }, + { + name: 'Malicious Link', + id: 'T1204.001', + reference: 'https://attack.mitre.org/techniques/T1204/001', + tactics: ['execution'], + techniqueId: 'T1204', + }, + { + name: 'Malware', + id: 'T1587.001', + reference: 'https://attack.mitre.org/techniques/T1587/001', + tactics: ['resource-development'], + techniqueId: 'T1587', + }, + { + name: 'Malware', + id: 'T1588.001', + reference: 'https://attack.mitre.org/techniques/T1588/001', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'Mark-of-the-Web Bypass', + id: 'T1553.005', + reference: 'https://attack.mitre.org/techniques/T1553/005', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'Masquerade Task or Service', + id: 'T1036.004', + reference: 'https://attack.mitre.org/techniques/T1036/004', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Match Legitimate Name or Location', + id: 'T1036.005', + reference: 'https://attack.mitre.org/techniques/T1036/005', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Mavinject', + id: 'T1218.013', + reference: 'https://attack.mitre.org/techniques/T1218/013', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Mshta', + id: 'T1218.005', + reference: 'https://attack.mitre.org/techniques/T1218/005', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Msiexec', + id: 'T1218.007', + reference: 'https://attack.mitre.org/techniques/T1218/007', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Multi-hop Proxy', + id: 'T1090.003', + reference: 'https://attack.mitre.org/techniques/T1090/003', + tactics: ['command-and-control'], + techniqueId: 'T1090', + }, + { + name: 'NTDS', + id: 'T1003.003', + reference: 'https://attack.mitre.org/techniques/T1003/003', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'NTFS File Attributes', + id: 'T1564.004', + reference: 'https://attack.mitre.org/techniques/T1564/004', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Netsh Helper DLL', + id: 'T1546.007', + reference: 'https://attack.mitre.org/techniques/T1546/007', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Network Address Translation Traversal', + id: 'T1599.001', + reference: 'https://attack.mitre.org/techniques/T1599/001', + tactics: ['defense-evasion'], + techniqueId: 'T1599', + }, + { + name: 'Network Device Authentication', + id: 'T1556.004', + reference: 'https://attack.mitre.org/techniques/T1556/004', + tactics: ['credential-access', 'defense-evasion', 'persistence'], + techniqueId: 'T1556', + }, + { + name: 'Network Device CLI', + id: 'T1059.008', + reference: 'https://attack.mitre.org/techniques/T1059/008', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Network Device Configuration Dump', + id: 'T1602.002', + reference: 'https://attack.mitre.org/techniques/T1602/002', + tactics: ['collection'], + techniqueId: 'T1602', + }, + { + name: 'Network Logon Script', + id: 'T1037.003', + reference: 'https://attack.mitre.org/techniques/T1037/003', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1037', + }, + { + name: 'Network Security Appliances', + id: 'T1590.006', + reference: 'https://attack.mitre.org/techniques/T1590/006', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'Network Share Connection Removal', + id: 'T1070.005', + reference: 'https://attack.mitre.org/techniques/T1070/005', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'Network Topology', + id: 'T1590.004', + reference: 'https://attack.mitre.org/techniques/T1590/004', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'Network Trust Dependencies', + id: 'T1590.003', + reference: 'https://attack.mitre.org/techniques/T1590/003', + tactics: ['reconnaissance'], + techniqueId: 'T1590', + }, + { + name: 'Non-Standard Encoding', + id: 'T1132.002', + reference: 'https://attack.mitre.org/techniques/T1132/002', + tactics: ['command-and-control'], + techniqueId: 'T1132', + }, + { + name: 'OS Exhaustion Flood', + id: 'T1499.001', + reference: 'https://attack.mitre.org/techniques/T1499/001', + tactics: ['impact'], + techniqueId: 'T1499', + }, + { + name: 'Odbcconf', + id: 'T1218.008', + reference: 'https://attack.mitre.org/techniques/T1218/008', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Office Template Macros', + id: 'T1137.001', + reference: 'https://attack.mitre.org/techniques/T1137/001', + tactics: ['persistence'], + techniqueId: 'T1137', + }, + { + name: 'Office Test', + id: 'T1137.002', + reference: 'https://attack.mitre.org/techniques/T1137/002', + tactics: ['persistence'], + techniqueId: 'T1137', + }, + { + name: 'One-Way Communication', + id: 'T1102.003', + reference: 'https://attack.mitre.org/techniques/T1102/003', + tactics: ['command-and-control'], + techniqueId: 'T1102', + }, + { + name: 'Outlook Forms', + id: 'T1137.003', + reference: 'https://attack.mitre.org/techniques/T1137/003', + tactics: ['persistence'], + techniqueId: 'T1137', + }, + { + name: 'Outlook Home Page', + id: 'T1137.004', + reference: 'https://attack.mitre.org/techniques/T1137/004', + tactics: ['persistence'], + techniqueId: 'T1137', + }, + { + name: 'Outlook Rules', + id: 'T1137.005', + reference: 'https://attack.mitre.org/techniques/T1137/005', + tactics: ['persistence'], + techniqueId: 'T1137', + }, + { + name: 'Parent PID Spoofing', + id: 'T1134.004', + reference: 'https://attack.mitre.org/techniques/T1134/004', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1134', + }, + { + name: 'Pass the Hash', + id: 'T1550.002', + reference: 'https://attack.mitre.org/techniques/T1550/002', + tactics: ['defense-evasion', 'lateral-movement'], + techniqueId: 'T1550', + }, + { + name: 'Pass the Ticket', + id: 'T1550.003', + reference: 'https://attack.mitre.org/techniques/T1550/003', + tactics: ['defense-evasion', 'lateral-movement'], + techniqueId: 'T1550', + }, + { + name: 'Password Cracking', + id: 'T1110.002', + reference: 'https://attack.mitre.org/techniques/T1110/002', + tactics: ['credential-access'], + techniqueId: 'T1110', + }, + { + name: 'Password Filter DLL', + id: 'T1556.002', + reference: 'https://attack.mitre.org/techniques/T1556/002', + tactics: ['credential-access', 'defense-evasion', 'persistence'], + techniqueId: 'T1556', + }, + { + name: 'Password Guessing', + id: 'T1110.001', + reference: 'https://attack.mitre.org/techniques/T1110/001', + tactics: ['credential-access'], + techniqueId: 'T1110', + }, + { + name: 'Password Managers', + id: 'T1555.005', + reference: 'https://attack.mitre.org/techniques/T1555/005', + tactics: ['credential-access'], + techniqueId: 'T1555', + }, + { + name: 'Password Spraying', + id: 'T1110.003', + reference: 'https://attack.mitre.org/techniques/T1110/003', + tactics: ['credential-access'], + techniqueId: 'T1110', + }, + { + name: 'Patch System Image', + id: 'T1601.001', + reference: 'https://attack.mitre.org/techniques/T1601/001', + tactics: ['defense-evasion'], + techniqueId: 'T1601', + }, + { + name: 'Path Interception by PATH Environment Variable', + id: 'T1574.007', + reference: 'https://attack.mitre.org/techniques/T1574/007', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Path Interception by Search Order Hijacking', + id: 'T1574.008', + reference: 'https://attack.mitre.org/techniques/T1574/008', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Path Interception by Unquoted Path', + id: 'T1574.009', + reference: 'https://attack.mitre.org/techniques/T1574/009', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Plist Modification', + id: 'T1547.011', + reference: 'https://attack.mitre.org/techniques/T1547/011', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Pluggable Authentication Modules', + id: 'T1556.003', + reference: 'https://attack.mitre.org/techniques/T1556/003', + tactics: ['credential-access', 'defense-evasion', 'persistence'], + techniqueId: 'T1556', + }, + { + name: 'Port Knocking', + id: 'T1205.001', + reference: 'https://attack.mitre.org/techniques/T1205/001', + tactics: ['defense-evasion', 'persistence', 'command-and-control'], + techniqueId: 'T1205', + }, + { + name: 'Port Monitors', + id: 'T1547.010', + reference: 'https://attack.mitre.org/techniques/T1547/010', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Portable Executable Injection', + id: 'T1055.002', + reference: 'https://attack.mitre.org/techniques/T1055/002', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'PowerShell', + id: 'T1059.001', + reference: 'https://attack.mitre.org/techniques/T1059/001', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'PowerShell Profile', + id: 'T1546.013', + reference: 'https://attack.mitre.org/techniques/T1546/013', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Print Processors', + id: 'T1547.012', + reference: 'https://attack.mitre.org/techniques/T1547/012', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Private Keys', + id: 'T1552.004', + reference: 'https://attack.mitre.org/techniques/T1552/004', + tactics: ['credential-access'], + techniqueId: 'T1552', + }, + { + name: 'Proc Filesystem', + id: 'T1003.007', + reference: 'https://attack.mitre.org/techniques/T1003/007', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'Proc Memory', + id: 'T1055.009', + reference: 'https://attack.mitre.org/techniques/T1055/009', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Process Argument Spoofing', + id: 'T1564.010', + reference: 'https://attack.mitre.org/techniques/T1564/010', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Process Doppelgänging', + id: 'T1055.013', + reference: 'https://attack.mitre.org/techniques/T1055/013', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Process Hollowing', + id: 'T1055.012', + reference: 'https://attack.mitre.org/techniques/T1055/012', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Protocol Impersonation', + id: 'T1001.003', + reference: 'https://attack.mitre.org/techniques/T1001/003', + tactics: ['command-and-control'], + techniqueId: 'T1001', + }, + { + name: 'Ptrace System Calls', + id: 'T1055.008', + reference: 'https://attack.mitre.org/techniques/T1055/008', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'PubPrn', + id: 'T1216.001', + reference: 'https://attack.mitre.org/techniques/T1216/001', + tactics: ['defense-evasion'], + techniqueId: 'T1216', + }, + { + name: 'Purchase Technical Data', + id: 'T1597.002', + reference: 'https://attack.mitre.org/techniques/T1597/002', + tactics: ['reconnaissance'], + techniqueId: 'T1597', + }, + { + name: 'Python', + id: 'T1059.006', + reference: 'https://attack.mitre.org/techniques/T1059/006', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'RC Scripts', + id: 'T1037.004', + reference: 'https://attack.mitre.org/techniques/T1037/004', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1037', + }, + { + name: 'RDP Hijacking', + id: 'T1563.002', + reference: 'https://attack.mitre.org/techniques/T1563/002', + tactics: ['lateral-movement'], + techniqueId: 'T1563', + }, + { + name: 'ROMMONkit', + id: 'T1542.004', + reference: 'https://attack.mitre.org/techniques/T1542/004', + tactics: ['defense-evasion', 'persistence'], + techniqueId: 'T1542', + }, + { + name: 'Re-opened Applications', + id: 'T1547.007', + reference: 'https://attack.mitre.org/techniques/T1547/007', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Reduce Key Space', + id: 'T1600.001', + reference: 'https://attack.mitre.org/techniques/T1600/001', + tactics: ['defense-evasion'], + techniqueId: 'T1600', + }, + { + name: 'Reflection Amplification', + id: 'T1498.002', + reference: 'https://attack.mitre.org/techniques/T1498/002', + tactics: ['impact'], + techniqueId: 'T1498', + }, + { + name: 'Registry Run Keys / Startup Folder', + id: 'T1547.001', + reference: 'https://attack.mitre.org/techniques/T1547/001', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Regsvcs/Regasm', + id: 'T1218.009', + reference: 'https://attack.mitre.org/techniques/T1218/009', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Regsvr32', + id: 'T1218.010', + reference: 'https://attack.mitre.org/techniques/T1218/010', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Remote Data Staging', + id: 'T1074.002', + reference: 'https://attack.mitre.org/techniques/T1074/002', + tactics: ['collection'], + techniqueId: 'T1074', + }, + { + name: 'Remote Desktop Protocol', + id: 'T1021.001', + reference: 'https://attack.mitre.org/techniques/T1021/001', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'Remote Email Collection', + id: 'T1114.002', + reference: 'https://attack.mitre.org/techniques/T1114/002', + tactics: ['collection'], + techniqueId: 'T1114', + }, + { + name: 'Rename System Utilities', + id: 'T1036.003', + reference: 'https://attack.mitre.org/techniques/T1036/003', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Resource Forking', + id: 'T1564.009', + reference: 'https://attack.mitre.org/techniques/T1564/009', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Reversible Encryption', + id: 'T1556.005', + reference: 'https://attack.mitre.org/techniques/T1556/005', + tactics: ['credential-access', 'defense-evasion', 'persistence'], + techniqueId: 'T1556', + }, + { + name: 'Revert Cloud Instance', + id: 'T1578.004', + reference: 'https://attack.mitre.org/techniques/T1578/004', + tactics: ['defense-evasion'], + techniqueId: 'T1578', + }, + { + name: 'Right-to-Left Override', + id: 'T1036.002', + reference: 'https://attack.mitre.org/techniques/T1036/002', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Run Virtual Instance', + id: 'T1564.006', + reference: 'https://attack.mitre.org/techniques/T1564/006', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'Rundll32', + id: 'T1218.011', + reference: 'https://attack.mitre.org/techniques/T1218/011', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Runtime Data Manipulation', + id: 'T1565.003', + reference: 'https://attack.mitre.org/techniques/T1565/003', + tactics: ['impact'], + techniqueId: 'T1565', + }, + { + name: 'SAML Tokens', + id: 'T1606.002', + reference: 'https://attack.mitre.org/techniques/T1606/002', + tactics: ['credential-access'], + techniqueId: 'T1606', + }, + { + name: 'SID-History Injection', + id: 'T1134.005', + reference: 'https://attack.mitre.org/techniques/T1134/005', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1134', + }, + { + name: 'SIP and Trust Provider Hijacking', + id: 'T1553.003', + reference: 'https://attack.mitre.org/techniques/T1553/003', + tactics: ['defense-evasion'], + techniqueId: 'T1553', + }, + { + name: 'SMB/Windows Admin Shares', + id: 'T1021.002', + reference: 'https://attack.mitre.org/techniques/T1021/002', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'SNMP (MIB Dump)', + id: 'T1602.001', + reference: 'https://attack.mitre.org/techniques/T1602/001', + tactics: ['collection'], + techniqueId: 'T1602', + }, + { + name: 'SQL Stored Procedures', + id: 'T1505.001', + reference: 'https://attack.mitre.org/techniques/T1505/001', + tactics: ['persistence'], + techniqueId: 'T1505', + }, + { + name: 'SSH', + id: 'T1021.004', + reference: 'https://attack.mitre.org/techniques/T1021/004', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'SSH Authorized Keys', + id: 'T1098.004', + reference: 'https://attack.mitre.org/techniques/T1098/004', + tactics: ['persistence'], + techniqueId: 'T1098', + }, + { + name: 'SSH Hijacking', + id: 'T1563.001', + reference: 'https://attack.mitre.org/techniques/T1563/001', + tactics: ['lateral-movement'], + techniqueId: 'T1563', + }, + { + name: 'Safe Mode Boot', + id: 'T1562.009', + reference: 'https://attack.mitre.org/techniques/T1562/009', + tactics: ['defense-evasion'], + techniqueId: 'T1562', + }, + { + name: 'Scan Databases', + id: 'T1596.005', + reference: 'https://attack.mitre.org/techniques/T1596/005', + tactics: ['reconnaissance'], + techniqueId: 'T1596', + }, + { + name: 'Scanning IP Blocks', + id: 'T1595.001', + reference: 'https://attack.mitre.org/techniques/T1595/001', + tactics: ['reconnaissance'], + techniqueId: 'T1595', + }, + { + name: 'Scheduled Task', + id: 'T1053.005', + reference: 'https://attack.mitre.org/techniques/T1053/005', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'Screensaver', + id: 'T1546.002', + reference: 'https://attack.mitre.org/techniques/T1546/002', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Search Engines', + id: 'T1593.002', + reference: 'https://attack.mitre.org/techniques/T1593/002', + tactics: ['reconnaissance'], + techniqueId: 'T1593', + }, + { + name: 'Security Account Manager', + id: 'T1003.002', + reference: 'https://attack.mitre.org/techniques/T1003/002', + tactics: ['credential-access'], + techniqueId: 'T1003', + }, + { + name: 'Security Software Discovery', + id: 'T1518.001', + reference: 'https://attack.mitre.org/techniques/T1518/001', + tactics: ['discovery'], + techniqueId: 'T1518', + }, + { + name: 'Security Support Provider', + id: 'T1547.005', + reference: 'https://attack.mitre.org/techniques/T1547/005', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Securityd Memory', + id: 'T1555.002', + reference: 'https://attack.mitre.org/techniques/T1555/002', + tactics: ['credential-access'], + techniqueId: 'T1555', + }, + { + name: 'Server', + id: 'T1583.004', + reference: 'https://attack.mitre.org/techniques/T1583/004', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'Server', + id: 'T1584.004', + reference: 'https://attack.mitre.org/techniques/T1584/004', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'Service Execution', + id: 'T1569.002', + reference: 'https://attack.mitre.org/techniques/T1569/002', + tactics: ['execution'], + techniqueId: 'T1569', + }, + { + name: 'Service Exhaustion Flood', + id: 'T1499.002', + reference: 'https://attack.mitre.org/techniques/T1499/002', + tactics: ['impact'], + techniqueId: 'T1499', + }, + { + name: 'Services File Permissions Weakness', + id: 'T1574.010', + reference: 'https://attack.mitre.org/techniques/T1574/010', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Services Registry Permissions Weakness', + id: 'T1574.011', + reference: 'https://attack.mitre.org/techniques/T1574/011', + tactics: ['persistence', 'privilege-escalation', 'defense-evasion'], + techniqueId: 'T1574', + }, + { + name: 'Setuid and Setgid', + id: 'T1548.001', + reference: 'https://attack.mitre.org/techniques/T1548/001', + tactics: ['privilege-escalation', 'defense-evasion'], + techniqueId: 'T1548', + }, + { + name: 'Sharepoint', + id: 'T1213.002', + reference: 'https://attack.mitre.org/techniques/T1213/002', + tactics: ['collection'], + techniqueId: 'T1213', + }, + { + name: 'Shortcut Modification', + id: 'T1547.009', + reference: 'https://attack.mitre.org/techniques/T1547/009', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Silver Ticket', + id: 'T1558.002', + reference: 'https://attack.mitre.org/techniques/T1558/002', + tactics: ['credential-access'], + techniqueId: 'T1558', + }, + { + name: 'Social Media', + id: 'T1593.001', + reference: 'https://attack.mitre.org/techniques/T1593/001', + tactics: ['reconnaissance'], + techniqueId: 'T1593', + }, + { + name: 'Social Media Accounts', + id: 'T1586.001', + reference: 'https://attack.mitre.org/techniques/T1586/001', + tactics: ['resource-development'], + techniqueId: 'T1586', + }, + { + name: 'Social Media Accounts', + id: 'T1585.001', + reference: 'https://attack.mitre.org/techniques/T1585/001', + tactics: ['resource-development'], + techniqueId: 'T1585', + }, + { + name: 'Software', + id: 'T1592.002', + reference: 'https://attack.mitre.org/techniques/T1592/002', + tactics: ['reconnaissance'], + techniqueId: 'T1592', + }, + { + name: 'Software Packing', + id: 'T1027.002', + reference: 'https://attack.mitre.org/techniques/T1027/002', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Space after Filename', + id: 'T1036.006', + reference: 'https://attack.mitre.org/techniques/T1036/006', + tactics: ['defense-evasion'], + techniqueId: 'T1036', + }, + { + name: 'Spearphishing Attachment', + id: 'T1566.001', + reference: 'https://attack.mitre.org/techniques/T1566/001', + tactics: ['initial-access'], + techniqueId: 'T1566', + }, + { + name: 'Spearphishing Attachment', + id: 'T1598.002', + reference: 'https://attack.mitre.org/techniques/T1598/002', + tactics: ['reconnaissance'], + techniqueId: 'T1598', + }, + { + name: 'Spearphishing Link', + id: 'T1566.002', + reference: 'https://attack.mitre.org/techniques/T1566/002', + tactics: ['initial-access'], + techniqueId: 'T1566', + }, + { + name: 'Spearphishing Link', + id: 'T1598.003', + reference: 'https://attack.mitre.org/techniques/T1598/003', + tactics: ['reconnaissance'], + techniqueId: 'T1598', + }, + { + name: 'Spearphishing Service', + id: 'T1598.001', + reference: 'https://attack.mitre.org/techniques/T1598/001', + tactics: ['reconnaissance'], + techniqueId: 'T1598', + }, + { + name: 'Spearphishing via Service', + id: 'T1566.003', + reference: 'https://attack.mitre.org/techniques/T1566/003', + tactics: ['initial-access'], + techniqueId: 'T1566', + }, + { + name: 'Standard Encoding', + id: 'T1132.001', + reference: 'https://attack.mitre.org/techniques/T1132/001', + tactics: ['command-and-control'], + techniqueId: 'T1132', + }, + { + name: 'Startup Items', + id: 'T1037.005', + reference: 'https://attack.mitre.org/techniques/T1037/005', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1037', + }, + { + name: 'Steganography', + id: 'T1027.003', + reference: 'https://attack.mitre.org/techniques/T1027/003', + tactics: ['defense-evasion'], + techniqueId: 'T1027', + }, + { + name: 'Steganography', + id: 'T1001.002', + reference: 'https://attack.mitre.org/techniques/T1001/002', + tactics: ['command-and-control'], + techniqueId: 'T1001', + }, + { + name: 'Stored Data Manipulation', + id: 'T1565.001', + reference: 'https://attack.mitre.org/techniques/T1565/001', + tactics: ['impact'], + techniqueId: 'T1565', + }, + { + name: 'Sudo and Sudo Caching', + id: 'T1548.003', + reference: 'https://attack.mitre.org/techniques/T1548/003', + tactics: ['privilege-escalation', 'defense-evasion'], + techniqueId: 'T1548', + }, + { + name: 'Symmetric Cryptography', + id: 'T1573.001', + reference: 'https://attack.mitre.org/techniques/T1573/001', + tactics: ['command-and-control'], + techniqueId: 'T1573', + }, + { + name: 'System Checks', + id: 'T1497.001', + reference: 'https://attack.mitre.org/techniques/T1497/001', + tactics: ['defense-evasion', 'discovery'], + techniqueId: 'T1497', + }, + { + name: 'System Firmware', + id: 'T1542.001', + reference: 'https://attack.mitre.org/techniques/T1542/001', + tactics: ['persistence', 'defense-evasion'], + techniqueId: 'T1542', + }, + { + name: 'System Language Discovery', + id: 'T1614.001', + reference: 'https://attack.mitre.org/techniques/T1614/001', + tactics: ['discovery'], + techniqueId: 'T1614', + }, + { + name: 'Systemd Service', + id: 'T1543.002', + reference: 'https://attack.mitre.org/techniques/T1543/002', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1543', + }, + { + name: 'Systemd Timers', + id: 'T1053.006', + reference: 'https://attack.mitre.org/techniques/T1053/006', + tactics: ['execution', 'persistence', 'privilege-escalation'], + techniqueId: 'T1053', + }, + { + name: 'TFTP Boot', + id: 'T1542.005', + reference: 'https://attack.mitre.org/techniques/T1542/005', + tactics: ['defense-evasion', 'persistence'], + techniqueId: 'T1542', + }, + { + name: 'Terminal Services DLL', + id: 'T1505.005', + reference: 'https://attack.mitre.org/techniques/T1505/005', + tactics: ['persistence'], + techniqueId: 'T1505', + }, + { + name: 'Thread Execution Hijacking', + id: 'T1055.003', + reference: 'https://attack.mitre.org/techniques/T1055/003', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Thread Local Storage', + id: 'T1055.005', + reference: 'https://attack.mitre.org/techniques/T1055/005', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'Threat Intel Vendors', + id: 'T1597.001', + reference: 'https://attack.mitre.org/techniques/T1597/001', + tactics: ['reconnaissance'], + techniqueId: 'T1597', + }, + { + name: 'Time Based Evasion', + id: 'T1497.003', + reference: 'https://attack.mitre.org/techniques/T1497/003', + tactics: ['defense-evasion', 'discovery'], + techniqueId: 'T1497', + }, + { + name: 'Time Providers', + id: 'T1547.003', + reference: 'https://attack.mitre.org/techniques/T1547/003', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Timestomp', + id: 'T1070.006', + reference: 'https://attack.mitre.org/techniques/T1070/006', + tactics: ['defense-evasion'], + techniqueId: 'T1070', + }, + { + name: 'Token Impersonation/Theft', + id: 'T1134.001', + reference: 'https://attack.mitre.org/techniques/T1134/001', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1134', + }, + { + name: 'Tool', + id: 'T1588.002', + reference: 'https://attack.mitre.org/techniques/T1588/002', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'Traffic Duplication', + id: 'T1020.001', + reference: 'https://attack.mitre.org/techniques/T1020/001', + tactics: ['exfiltration'], + techniqueId: 'T1020', + }, + { + name: 'Transmitted Data Manipulation', + id: 'T1565.002', + reference: 'https://attack.mitre.org/techniques/T1565/002', + tactics: ['impact'], + techniqueId: 'T1565', + }, + { + name: 'Transport Agent', + id: 'T1505.002', + reference: 'https://attack.mitre.org/techniques/T1505/002', + tactics: ['persistence'], + techniqueId: 'T1505', + }, + { + name: 'Trap', + id: 'T1546.005', + reference: 'https://attack.mitre.org/techniques/T1546/005', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Unix Shell', + id: 'T1059.004', + reference: 'https://attack.mitre.org/techniques/T1059/004', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Unix Shell Configuration Modification', + id: 'T1546.004', + reference: 'https://attack.mitre.org/techniques/T1546/004', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Upload Malware', + id: 'T1608.001', + reference: 'https://attack.mitre.org/techniques/T1608/001', + tactics: ['resource-development'], + techniqueId: 'T1608', + }, + { + name: 'Upload Tool', + id: 'T1608.002', + reference: 'https://attack.mitre.org/techniques/T1608/002', + tactics: ['resource-development'], + techniqueId: 'T1608', + }, + { + name: 'User Activity Based Checks', + id: 'T1497.002', + reference: 'https://attack.mitre.org/techniques/T1497/002', + tactics: ['defense-evasion', 'discovery'], + techniqueId: 'T1497', + }, + { + name: 'VBA Stomping', + id: 'T1564.007', + reference: 'https://attack.mitre.org/techniques/T1564/007', + tactics: ['defense-evasion'], + techniqueId: 'T1564', + }, + { + name: 'VDSO Hijacking', + id: 'T1055.014', + reference: 'https://attack.mitre.org/techniques/T1055/014', + tactics: ['defense-evasion', 'privilege-escalation'], + techniqueId: 'T1055', + }, + { + name: 'VNC', + id: 'T1021.005', + reference: 'https://attack.mitre.org/techniques/T1021/005', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'Verclsid', + id: 'T1218.012', + reference: 'https://attack.mitre.org/techniques/T1218/012', + tactics: ['defense-evasion'], + techniqueId: 'T1218', + }, + { + name: 'Virtual Private Server', + id: 'T1584.003', + reference: 'https://attack.mitre.org/techniques/T1584/003', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'Virtual Private Server', + id: 'T1583.003', + reference: 'https://attack.mitre.org/techniques/T1583/003', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'Visual Basic', + id: 'T1059.005', + reference: 'https://attack.mitre.org/techniques/T1059/005', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Vulnerabilities', + id: 'T1588.006', + reference: 'https://attack.mitre.org/techniques/T1588/006', + tactics: ['resource-development'], + techniqueId: 'T1588', + }, + { + name: 'Vulnerability Scanning', + id: 'T1595.002', + reference: 'https://attack.mitre.org/techniques/T1595/002', + tactics: ['reconnaissance'], + techniqueId: 'T1595', + }, + { + name: 'WHOIS', + id: 'T1596.002', + reference: 'https://attack.mitre.org/techniques/T1596/002', + tactics: ['reconnaissance'], + techniqueId: 'T1596', + }, + { + name: 'Web Cookies', + id: 'T1606.001', + reference: 'https://attack.mitre.org/techniques/T1606/001', + tactics: ['credential-access'], + techniqueId: 'T1606', + }, + { + name: 'Web Portal Capture', + id: 'T1056.003', + reference: 'https://attack.mitre.org/techniques/T1056/003', + tactics: ['collection', 'credential-access'], + techniqueId: 'T1056', + }, + { + name: 'Web Protocols', + id: 'T1071.001', + reference: 'https://attack.mitre.org/techniques/T1071/001', + tactics: ['command-and-control'], + techniqueId: 'T1071', + }, + { + name: 'Web Services', + id: 'T1583.006', + reference: 'https://attack.mitre.org/techniques/T1583/006', + tactics: ['resource-development'], + techniqueId: 'T1583', + }, + { + name: 'Web Services', + id: 'T1584.006', + reference: 'https://attack.mitre.org/techniques/T1584/006', + tactics: ['resource-development'], + techniqueId: 'T1584', + }, + { + name: 'Web Session Cookie', + id: 'T1550.004', + reference: 'https://attack.mitre.org/techniques/T1550/004', + tactics: ['defense-evasion', 'lateral-movement'], + techniqueId: 'T1550', + }, + { + name: 'Web Shell', + id: 'T1505.003', + reference: 'https://attack.mitre.org/techniques/T1505/003', + tactics: ['persistence'], + techniqueId: 'T1505', + }, + { + name: 'Windows Command Shell', + id: 'T1059.003', + reference: 'https://attack.mitre.org/techniques/T1059/003', + tactics: ['execution'], + techniqueId: 'T1059', + }, + { + name: 'Windows Credential Manager', + id: 'T1555.004', + reference: 'https://attack.mitre.org/techniques/T1555/004', + tactics: ['credential-access'], + techniqueId: 'T1555', + }, + { + name: 'Windows File and Directory Permissions Modification', + id: 'T1222.001', + reference: 'https://attack.mitre.org/techniques/T1222/001', + tactics: ['defense-evasion'], + techniqueId: 'T1222', + }, + { + name: 'Windows Management Instrumentation Event Subscription', + id: 'T1546.003', + reference: 'https://attack.mitre.org/techniques/T1546/003', + tactics: ['privilege-escalation', 'persistence'], + techniqueId: 'T1546', + }, + { + name: 'Windows Remote Management', + id: 'T1021.006', + reference: 'https://attack.mitre.org/techniques/T1021/006', + tactics: ['lateral-movement'], + techniqueId: 'T1021', + }, + { + name: 'Windows Service', + id: 'T1543.003', + reference: 'https://attack.mitre.org/techniques/T1543/003', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1543', + }, + { + name: 'Winlogon Helper DLL', + id: 'T1547.004', + reference: 'https://attack.mitre.org/techniques/T1547/004', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'Wordlist Scanning', + id: 'T1595.003', + reference: 'https://attack.mitre.org/techniques/T1595/003', + tactics: ['reconnaissance'], + techniqueId: 'T1595', + }, + { + name: 'XDG Autostart Entries', + id: 'T1547.013', + reference: 'https://attack.mitre.org/techniques/T1547/013', + tactics: ['persistence', 'privilege-escalation'], + techniqueId: 'T1547', + }, + { + name: 'XPC Services', + id: 'T1559.003', + reference: 'https://attack.mitre.org/techniques/T1559/003', + tactics: ['execution'], + techniqueId: 'T1559', + }, +]; + +export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.etcPasswdAndEtcShadowT1003Description', + { defaultMessage: '/etc/passwd and /etc/shadow (T1003.008)' } + ), + id: 'T1003.008', + name: '/etc/passwd and /etc/shadow', + reference: 'https://attack.mitre.org/techniques/T1003/008', + tactics: 'credential-access', + techniqueId: 'T1003', + value: 'etcPasswdAndEtcShadow', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.arpCachePoisoningT1557Description', + { defaultMessage: 'ARP Cache Poisoning (T1557.002)' } + ), + id: 'T1557.002', + name: 'ARP Cache Poisoning', + reference: 'https://attack.mitre.org/techniques/T1557/002', + tactics: 'credential-access,collection', + techniqueId: 'T1557', + value: 'arpCachePoisoning', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asRepRoastingT1558Description', + { defaultMessage: 'AS-REP Roasting (T1558.004)' } + ), + id: 'T1558.004', + name: 'AS-REP Roasting', + reference: 'https://attack.mitre.org/techniques/T1558/004', + tactics: 'credential-access', + techniqueId: 'T1558', + value: 'asRepRoasting', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.accessibilityFeaturesT1546Description', + { defaultMessage: 'Accessibility Features (T1546.008)' } + ), + id: 'T1546.008', + name: 'Accessibility Features', + reference: 'https://attack.mitre.org/techniques/T1546/008', + tactics: 'privilege-escalation,persistence', + techniqueId: 'T1546', + value: 'accessibilityFeatures', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.activeSetupT1547Description', + { defaultMessage: 'Active Setup (T1547.014)' } + ), + id: 'T1547.014', + name: 'Active Setup', + reference: 'https://attack.mitre.org/techniques/T1547/014', + tactics: 'persistence,privilege-escalation', + techniqueId: 'T1547', + value: 'activeSetup', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addInsT1137Description', + { defaultMessage: 'Add-ins (T1137.006)' } + ), + id: 'T1137.006', + name: 'Add-ins', + reference: 'https://attack.mitre.org/techniques/T1137/006', + tactics: 'persistence', + techniqueId: 'T1137', + value: 'addIns', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description', + { defaultMessage: 'Additional Cloud Credentials (T1098.001)' } + ), + id: 'T1098.001', + name: 'Additional Cloud Credentials', + reference: 'https://attack.mitre.org/techniques/T1098/001', + tactics: 'persistence', + techniqueId: 'T1098', + value: 'additionalCloudCredentials', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudRolesT1098Description', + { defaultMessage: 'Additional Cloud Roles (T1098.003)' } + ), + id: 'T1098.003', + name: 'Additional Cloud Roles', + reference: 'https://attack.mitre.org/techniques/T1098/003', + tactics: 'persistence', + techniqueId: 'T1098', + value: 'additionalCloudRoles', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalEmailDelegatePermissionsT1098Description', + { defaultMessage: 'Additional Email Delegate Permissions (T1098.002)' } + ), + id: 'T1098.002', + name: 'Additional Email Delegate Permissions', + reference: 'https://attack.mitre.org/techniques/T1098/002', + tactics: 'persistence', + techniqueId: 'T1098', + value: 'additionalEmailDelegatePermissions', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description', + { defaultMessage: 'AppCert DLLs (T1546.009)' } + ), + id: 'T1546.009', + name: 'AppCert DLLs', + reference: 'https://attack.mitre.org/techniques/T1546/009', + tactics: 'privilege-escalation,persistence', + techniqueId: 'T1546', + value: 'appCertDlLs', }, { label: i18n.translate( @@ -3865,27 +8840,27 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atLinuxT1053Description', - { defaultMessage: 'At (Linux) (T1053.001)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atT1053Description', + { defaultMessage: 'At (T1053.002)' } ), - id: 'T1053.001', - name: 'At (Linux)', - reference: 'https://attack.mitre.org/techniques/T1053/001', + id: 'T1053.002', + name: 'At', + reference: 'https://attack.mitre.org/techniques/T1053/002', tactics: 'execution,persistence,privilege-escalation', techniqueId: 'T1053', - value: 'atLinux', + value: 'at', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atWindowsT1053Description', - { defaultMessage: 'At (Windows) (T1053.002)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atLinuxT1053Description', + { defaultMessage: 'At (Linux) (T1053.001)' } ), - id: 'T1053.002', - name: 'At (Windows)', - reference: 'https://attack.mitre.org/techniques/T1053/002', + id: 'T1053.001', + name: 'At (Linux)', + reference: 'https://attack.mitre.org/techniques/T1053/001', tactics: 'execution,persistence,privilege-escalation', techniqueId: 'T1053', - value: 'atWindows', + value: 'atLinux', }, { label: i18n.translate( @@ -4103,18 +9078,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1592', value: 'clientConfigurations', }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudAccountT1136Description', - { defaultMessage: 'Cloud Account (T1136.003)' } - ), - id: 'T1136.003', - name: 'Cloud Account', - reference: 'https://attack.mitre.org/techniques/T1136/003', - tactics: 'persistence', - techniqueId: 'T1136', - value: 'cloudAccount', - }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudAccountT1087Description', @@ -4127,6 +9090,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1087', value: 'cloudAccount', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudAccountT1136Description', + { defaultMessage: 'Cloud Account (T1136.003)' } + ), + id: 'T1136.003', + name: 'Cloud Account', + reference: 'https://attack.mitre.org/techniques/T1136/003', + tactics: 'persistence', + techniqueId: 'T1136', + value: 'cloudAccount', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudAccountsT1078Description', @@ -4499,6 +9474,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1003', value: 'dcSync', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dhcpSpoofingT1557Description', + { defaultMessage: 'DHCP Spoofing (T1557.003)' } + ), + id: 'T1557.003', + name: 'DHCP Spoofing', + reference: 'https://attack.mitre.org/techniques/T1557/003', + tactics: 'credential-access,collection', + techniqueId: 'T1557', + value: 'dhcpSpoofing', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dllSearchOrderHijackingT1574Description', @@ -4523,18 +9510,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1574', value: 'dllSideLoading', }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dnsT1071Description', - { defaultMessage: 'DNS (T1071.004)' } - ), - id: 'T1071.004', - name: 'DNS', - reference: 'https://attack.mitre.org/techniques/T1071/004', - tactics: 'command-and-control', - techniqueId: 'T1071', - value: 'dns', - }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dnsT1590Description', @@ -4547,6 +9522,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1590', value: 'dns', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dnsT1071Description', + { defaultMessage: 'DNS (T1071.004)' } + ), + id: 'T1071.004', + name: 'DNS', + reference: 'https://attack.mitre.org/techniques/T1071/004', + tactics: 'command-and-control', + techniqueId: 'T1071', + value: 'dns', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.dnsCalculationT1568Description', @@ -4645,14 +9632,26 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1587Description', - { defaultMessage: 'Digital Certificates (T1587.003)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.deviceRegistrationT1098Description', + { defaultMessage: 'Device Registration (T1098.005)' } ), - id: 'T1587.003', + id: 'T1098.005', + name: 'Device Registration', + reference: 'https://attack.mitre.org/techniques/T1098/005', + tactics: 'persistence', + techniqueId: 'T1098', + value: 'deviceRegistration', + }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1596Description', + { defaultMessage: 'Digital Certificates (T1596.003)' } + ), + id: 'T1596.003', name: 'Digital Certificates', - reference: 'https://attack.mitre.org/techniques/T1587/003', - tactics: 'resource-development', - techniqueId: 'T1587', + reference: 'https://attack.mitre.org/techniques/T1596/003', + tactics: 'reconnaissance', + techniqueId: 'T1596', value: 'digitalCertificates', }, { @@ -4669,14 +9668,14 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1596Description', - { defaultMessage: 'Digital Certificates (T1596.003)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1587Description', + { defaultMessage: 'Digital Certificates (T1587.003)' } ), - id: 'T1596.003', + id: 'T1587.003', name: 'Digital Certificates', - reference: 'https://attack.mitre.org/techniques/T1596/003', - tactics: 'reconnaissance', - techniqueId: 'T1596', + reference: 'https://attack.mitre.org/techniques/T1587/003', + tactics: 'resource-development', + techniqueId: 'T1587', value: 'digitalCertificates', }, { @@ -4799,18 +9798,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1021', value: 'distributedComponentObjectModel', }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainAccountT1136Description', - { defaultMessage: 'Domain Account (T1136.002)' } - ), - id: 'T1136.002', - name: 'Domain Account', - reference: 'https://attack.mitre.org/techniques/T1136/002', - tactics: 'persistence', - techniqueId: 'T1136', - value: 'domainAccount', - }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainAccountT1087Description', @@ -4823,6 +9810,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1087', value: 'domainAccount', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainAccountT1136Description', + { defaultMessage: 'Domain Account (T1136.002)' } + ), + id: 'T1136.002', + name: 'Domain Account', + reference: 'https://attack.mitre.org/techniques/T1136/002', + tactics: 'persistence', + techniqueId: 'T1136', + value: 'domainAccount', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.domainAccountsT1078Description', @@ -5053,26 +10052,26 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.emailAccountsT1585Description', - { defaultMessage: 'Email Accounts (T1585.002)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.emailAccountsT1586Description', + { defaultMessage: 'Email Accounts (T1586.002)' } ), - id: 'T1585.002', + id: 'T1586.002', name: 'Email Accounts', - reference: 'https://attack.mitre.org/techniques/T1585/002', + reference: 'https://attack.mitre.org/techniques/T1586/002', tactics: 'resource-development', - techniqueId: 'T1585', + techniqueId: 'T1586', value: 'emailAccounts', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.emailAccountsT1586Description', - { defaultMessage: 'Email Accounts (T1586.002)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.emailAccountsT1585Description', + { defaultMessage: 'Email Accounts (T1585.002)' } ), - id: 'T1586.002', + id: 'T1585.002', name: 'Email Accounts', - reference: 'https://attack.mitre.org/techniques/T1586/002', + reference: 'https://attack.mitre.org/techniques/T1585/002', tactics: 'resource-development', - techniqueId: 'T1586', + techniqueId: 'T1585', value: 'emailAccounts', }, { @@ -5147,18 +10146,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1480', value: 'environmentalKeying', }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exchangeEmailDelegatePermissionsT1098Description', - { defaultMessage: 'Exchange Email Delegate Permissions (T1098.002)' } - ), - id: 'T1098.002', - name: 'Exchange Email Delegate Permissions', - reference: 'https://attack.mitre.org/techniques/T1098/002', - tactics: 'persistence', - techniqueId: 'T1098', - value: 'exchangeEmailDelegatePermissions', - }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.executableInstallerFilePermissionsWeaknessT1574Description', @@ -5209,15 +10196,15 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUnencryptedObfuscatedNonC2ProtocolT1048Description', - { defaultMessage: 'Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUnencryptedNonC2ProtocolT1048Description', + { defaultMessage: 'Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003)' } ), id: 'T1048.003', - name: 'Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol', + name: 'Exfiltration Over Unencrypted Non-C2 Protocol', reference: 'https://attack.mitre.org/techniques/T1048/003', tactics: 'exfiltration', techniqueId: 'T1048', - value: 'exfiltrationOverUnencryptedObfuscatedNonC2Protocol', + value: 'exfiltrationOverUnencryptedNonC2Protocol', }, { label: i18n.translate( @@ -5723,6 +10710,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1547', value: 'kernelModulesAndExtensions', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.kernelCallbackTableT1574Description', + { defaultMessage: 'KernelCallbackTable (T1574.013)' } + ), + id: 'T1574.013', + name: 'KernelCallbackTable', + reference: 'https://attack.mitre.org/techniques/T1574/013', + tactics: 'persistence,privilege-escalation,defense-evasion', + techniqueId: 'T1574', + value: 'kernelCallbackTable', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.keychainT1555Description', @@ -5881,15 +10880,15 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localAccountT1136Description', - { defaultMessage: 'Local Account (T1136.001)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.listPlantingT1055Description', + { defaultMessage: 'ListPlanting (T1055.015)' } ), - id: 'T1136.001', - name: 'Local Account', - reference: 'https://attack.mitre.org/techniques/T1136/001', - tactics: 'persistence', - techniqueId: 'T1136', - value: 'localAccount', + id: 'T1055.015', + name: 'ListPlanting', + reference: 'https://attack.mitre.org/techniques/T1055/015', + tactics: 'defense-evasion,privilege-escalation', + techniqueId: 'T1055', + value: 'listPlanting', }, { label: i18n.translate( @@ -5903,6 +10902,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1087', value: 'localAccount', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localAccountT1136Description', + { defaultMessage: 'Local Account (T1136.001)' } + ), + id: 'T1136.001', + name: 'Local Account', + reference: 'https://attack.mitre.org/techniques/T1136/001', + tactics: 'persistence', + techniqueId: 'T1136', + value: 'localAccount', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localAccountsT1078Description', @@ -5951,6 +10962,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1069', value: 'localGroups', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.loginHookT1037Description', + { defaultMessage: 'Login Hook (T1037.002)' } + ), + id: 'T1037.002', + name: 'Login Hook', + reference: 'https://attack.mitre.org/techniques/T1037/002', + tactics: 'persistence,privilege-escalation', + techniqueId: 'T1037', + value: 'loginHook', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.loginItemsT1547Description', @@ -5963,18 +10986,6 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1547', value: 'loginItems', }, - { - label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptMacT1037Description', - { defaultMessage: 'Logon Script (Mac) (T1037.002)' } - ), - id: 'T1037.002', - name: 'Logon Script (Mac)', - reference: 'https://attack.mitre.org/techniques/T1037/002', - tactics: 'persistence,privilege-escalation', - techniqueId: 'T1037', - value: 'logonScriptMac', - }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptWindowsT1037Description', @@ -6707,6 +11718,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1055', value: 'procMemory', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.processArgumentSpoofingT1564Description', + { defaultMessage: 'Process Argument Spoofing (T1564.010)' } + ), + id: 'T1564.010', + name: 'Process Argument Spoofing', + reference: 'https://attack.mitre.org/techniques/T1564/010', + tactics: 'defense-evasion', + techniqueId: 'T1564', + value: 'processArgumentSpoofing', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.processDoppelgangingT1055Description', @@ -6959,6 +11982,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1564', value: 'resourceForking', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.reversibleEncryptionT1556Description', + { defaultMessage: 'Reversible Encryption (T1556.005)' } + ), + id: 'T1556.005', + name: 'Reversible Encryption', + reference: 'https://attack.mitre.org/techniques/T1556/005', + tactics: 'credential-access,defense-evasion,persistence', + techniqueId: 'T1556', + value: 'reversibleEncryption', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.revertCloudInstanceT1578Description', @@ -7381,26 +12416,26 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.socialMediaAccountsT1585Description', - { defaultMessage: 'Social Media Accounts (T1585.001)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.socialMediaAccountsT1586Description', + { defaultMessage: 'Social Media Accounts (T1586.001)' } ), - id: 'T1585.001', + id: 'T1586.001', name: 'Social Media Accounts', - reference: 'https://attack.mitre.org/techniques/T1585/001', + reference: 'https://attack.mitre.org/techniques/T1586/001', tactics: 'resource-development', - techniqueId: 'T1585', + techniqueId: 'T1586', value: 'socialMediaAccounts', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.socialMediaAccountsT1586Description', - { defaultMessage: 'Social Media Accounts (T1586.001)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.socialMediaAccountsT1585Description', + { defaultMessage: 'Social Media Accounts (T1585.001)' } ), - id: 'T1586.001', + id: 'T1585.001', name: 'Social Media Accounts', - reference: 'https://attack.mitre.org/techniques/T1586/001', + reference: 'https://attack.mitre.org/techniques/T1585/001', tactics: 'resource-development', - techniqueId: 'T1586', + techniqueId: 'T1585', value: 'socialMediaAccounts', }, { @@ -7667,6 +12702,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1542', value: 'tftpBoot', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.terminalServicesDllT1505Description', + { defaultMessage: 'Terminal Services DLL (T1505.005)' } + ), + id: 'T1505.005', + name: 'Terminal Services DLL', + reference: 'https://attack.mitre.org/techniques/T1505/005', + tactics: 'persistence', + techniqueId: 'T1505', + value: 'terminalServicesDll', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.threadExecutionHijackingT1055Description', @@ -7921,26 +12968,26 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.virtualPrivateServerT1583Description', - { defaultMessage: 'Virtual Private Server (T1583.003)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.virtualPrivateServerT1584Description', + { defaultMessage: 'Virtual Private Server (T1584.003)' } ), - id: 'T1583.003', + id: 'T1584.003', name: 'Virtual Private Server', - reference: 'https://attack.mitre.org/techniques/T1583/003', + reference: 'https://attack.mitre.org/techniques/T1584/003', tactics: 'resource-development', - techniqueId: 'T1583', + techniqueId: 'T1584', value: 'virtualPrivateServer', }, { label: i18n.translate( - 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.virtualPrivateServerT1584Description', - { defaultMessage: 'Virtual Private Server (T1584.003)' } + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.virtualPrivateServerT1583Description', + { defaultMessage: 'Virtual Private Server (T1583.003)' } ), - id: 'T1584.003', + id: 'T1583.003', name: 'Virtual Private Server', - reference: 'https://attack.mitre.org/techniques/T1584/003', + reference: 'https://attack.mitre.org/techniques/T1583/003', tactics: 'resource-development', - techniqueId: 'T1584', + techniqueId: 'T1583', value: 'virtualPrivateServer', }, { @@ -8159,6 +13206,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1547', value: 'winlogonHelperDll', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.wordlistScanningT1595Description', + { defaultMessage: 'Wordlist Scanning (T1595.003)' } + ), + id: 'T1595.003', + name: 'Wordlist Scanning', + reference: 'https://attack.mitre.org/techniques/T1595/003', + tactics: 'reconnaissance', + techniqueId: 'T1595', + value: 'wordlistScanning', + }, { label: i18n.translate( 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.xdgAutostartEntriesT1547Description', @@ -8171,6 +13230,18 @@ export const subtechniquesOptions: MitreSubtechniquesOptions[] = [ techniqueId: 'T1547', value: 'xdgAutostartEntries', }, + { + label: i18n.translate( + 'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.xpcServicesT1559Description', + { defaultMessage: 'XPC Services (T1559.003)' } + ), + id: 'T1559.003', + name: 'XPC Services', + reference: 'https://attack.mitre.org/techniques/T1559/003', + tactics: 'execution', + techniqueId: 'T1559', + value: 'xpcServices', + }, ]; /** diff --git a/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js b/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js index b0b963872585a..162357ae61e82 100644 --- a/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js +++ b/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js @@ -11,12 +11,16 @@ const fs = require('fs'); // eslint-disable-next-line import/no-extraneous-dependencies const fetch = require('node-fetch'); // eslint-disable-next-line import/no-extraneous-dependencies -const { camelCase, startCase } = require('lodash'); +const { camelCase, sortBy } = require('lodash'); const { resolve } = require('path'); const OUTPUT_DIRECTORY = resolve('public', 'detections', 'mitre'); -const MITRE_ENTERPRISE_ATTACK_URL = - 'https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json'; + +// Every release we should update the version of MITRE ATT&CK content and regenerate the model in our code. +// This version must correspond to the one used for prebuilt rules in https://github.com/elastic/detection-rules. +// This version is basically a tag on https://github.com/mitre/cti/tags, or can be a branch name like `master`. +const MITRE_CONTENT_VERSION = 'ATT&CK-v11.3'; // last updated when preparing for 8.4.0 release +const MITRE_CONTENT_URL = `https://raw.githubusercontent.com/mitre/cti/${MITRE_CONTENT_VERSION}/enterprise-attack/enterprise-attack.json`; const getTacticsOptions = (tactics) => tactics.map((t) => @@ -67,98 +71,124 @@ const getSubtechniquesOptions = (subtechniques) => }`.replace(/(\r\n|\n|\r)/gm, ' ') ); -const getIdReference = (references) => - references.reduce( - (obj, extRef) => { - if (extRef.source_name === 'mitre-attack') { - return { - id: extRef.external_id, - reference: extRef.url, - }; +const getIdReference = (references) => { + const ref = references.find((r) => r.source_name === 'mitre-attack'); + if (ref != null) { + return { + id: ref.external_id, + reference: ref.url, + }; + } else { + return { id: '', reference: '' }; + } +}; + +const extractTacticsData = (mitreData) => { + const tactics = mitreData + .filter((obj) => obj.type === 'x-mitre-tactic') + .reduce((acc, item) => { + const { id, reference } = getIdReference(item.external_references); + + return [ + ...acc, + { + displayName: item.name, + shortName: item.x_mitre_shortname, + id, + reference, + }, + ]; + }, []); + + return sortBy(tactics, 'displayName'); +}; + +const normalizeTacticsData = (tacticsData) => { + return tacticsData.map((data) => { + const { displayName, id, reference } = data; + return { name: displayName, id, reference }; + }); +}; + +const extractTechniques = (mitreData) => { + const techniques = mitreData + .filter( + (obj) => + obj.type === 'attack-pattern' && + (obj.x_mitre_is_subtechnique === false || obj.x_mitre_is_subtechnique === undefined) + ) + .reduce((acc, item) => { + let tactics = []; + const { id, reference } = getIdReference(item.external_references); + if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { + item.kill_chain_phases.forEach((tactic) => { + tactics = [...tactics, tactic.phase_name]; + }); } - return obj; - }, - { id: '', reference: '' } - ); -const buildMockThreatData = (tactics, techniques, subtechniques) => { + return [ + ...acc, + { + name: item.name, + id, + reference, + tactics, + }, + ]; + }, []); + + return sortBy(techniques, 'name'); +}; + +const extractSubtechniques = (mitreData) => { + const subtechniques = mitreData + .filter((obj) => obj.x_mitre_is_subtechnique === true) + .reduce((acc, item) => { + let tactics = []; + const { id, reference } = getIdReference(item.external_references); + if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { + item.kill_chain_phases.forEach((tactic) => { + tactics = [...tactics, tactic.phase_name]; + }); + } + const techniqueId = id.split('.')[0]; + + return [ + ...acc, + { + name: item.name, + id, + reference, + tactics, + techniqueId, + }, + ]; + }, []); + + return sortBy(subtechniques, 'name'); +}; + +const buildMockThreatData = (tacticsData, techniques, subtechniques) => { const subtechnique = subtechniques[0]; const technique = techniques.find((technique) => technique.id === subtechnique.techniqueId); - const tactic = tactics.find( - (tactic) => tactic.name === startCase(camelCase(technique.tactics[0])) - ); + const tactic = tacticsData.find((tactic) => tactic.shortName === technique.tactics[0]); return { - tactic, + tactic: normalizeTacticsData([tactic])[0], technique, subtechnique, }; }; async function main() { - fetch(MITRE_ENTERPRISE_ATTACK_URL) + fetch(MITRE_CONTENT_URL) .then((res) => res.json()) .then((json) => { const mitreData = json.objects; - const tactics = mitreData - .filter((obj) => obj.type === 'x-mitre-tactic') - .reduce((acc, item) => { - const { id, reference } = getIdReference(item.external_references); - - return [ - ...acc, - { - name: item.name, - id, - reference, - }, - ]; - }, []); - const techniques = mitreData - .filter((obj) => obj.type === 'attack-pattern' && obj.x_mitre_is_subtechnique === false) - .reduce((acc, item) => { - let tactics = []; - const { id, reference } = getIdReference(item.external_references); - if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { - item.kill_chain_phases.forEach((tactic) => { - tactics = [...tactics, tactic.phase_name]; - }); - } - - return [ - ...acc, - { - name: item.name, - id, - reference, - tactics, - }, - ]; - }, []); - - const subtechniques = mitreData - .filter((obj) => obj.x_mitre_is_subtechnique === true) - .reduce((acc, item) => { - let tactics = []; - const { id, reference } = getIdReference(item.external_references); - if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { - item.kill_chain_phases.forEach((tactic) => { - tactics = [...tactics, tactic.phase_name]; - }); - } - const techniqueId = id.split('.')[0]; - - return [ - ...acc, - { - name: item.name, - id, - reference, - tactics, - techniqueId, - }, - ]; - }, []); + const tacticsData = extractTacticsData(mitreData); + const tactics = normalizeTacticsData(tacticsData); + const techniques = extractTechniques(mitreData); + const subtechniques = extractSubtechniques(mitreData); const body = `/* * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one @@ -202,7 +232,7 @@ async function main() { * Is built alongside and sampled from the data in the file so to always be valid with the most up to date MITRE ATT&CK data */ export const getMockThreatData = () => (${JSON.stringify( - buildMockThreatData(tactics, techniques, subtechniques), + buildMockThreatData(tacticsData, techniques, subtechniques), null, 2 ) diff --git a/x-pack/plugins/translations/translations/fr-FR.json b/x-pack/plugins/translations/translations/fr-FR.json index 5c7d7b551ec18..8708df5332833 100644 --- a/x-pack/plugins/translations/translations/fr-FR.json +++ b/x-pack/plugins/translations/translations/fr-FR.json @@ -24754,7 +24754,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.activeSetupT1547Description": "Configuration active (T1547.014)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addInsT1137Description": "Compléments (T1137.006)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description": "Informations d'identification de cloud supplémentaires (T1098.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addOffice365GlobalAdministratorRoleT1098Description": "Ajouter un rôle d'administrateur global Office 365 (T1098.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description": "DLL AppCert (T1546.009)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appInitDlLsT1546Description": "DLL AppInit (T1546.010)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appleScriptT1059Description": "AppleScript (T1059.002)", @@ -24770,7 +24769,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asymmetricCryptographyT1573Description": "Cryptographie asymétrique (T1573.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asynchronousProcedureCallT1055Description": "Procédure d'appel asynchrone (T1055.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atLinuxT1053Description": "At (Linux) (T1053.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atWindowsT1053Description": "At (Windows) (T1053.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.authenticationPackageT1547Description": "Pack d'authentification (T1547.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bashHistoryT1552Description": "Historique bash (T1552.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bidirectionalCommunicationT1102Description": "Communication bidirectionnelle (T1102.002)", @@ -24877,12 +24875,10 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.employeeNamesT1589Description": "Noms d'employés (T1589.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.environmentalKeyingT1480Description": "Saisie environnementale (T1480.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.etcPasswdAndEtcShadowT1003Description": "/etc/passwd et /etc/shadow (T1003.008)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exchangeEmailDelegatePermissionsT1098Description": "Autorisations de délégation du courrier Exchange (T1098.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.executableInstallerFilePermissionsWeaknessT1574Description": "Faiblesse d'autorisations du fichier d'installation exécutable (T1574.005)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverAsymmetricEncryptedNonC2ProtocolT1048Description": "Exfiltration sur protocole chiffré asymétrique non C2 (T1048.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverBluetoothT1011Description": "Exfiltration sur Bluetooth (T1011.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverSymmetricEncryptedNonC2ProtocolT1048Description": "Exfiltration sur protocole chiffré symétrique non C2 (T1048.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUnencryptedObfuscatedNonC2ProtocolT1048Description": "Exfiltration sur protocole non chiffré/brouillé non C2 (T1048.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUsbT1052Description": "Exfiltration sur USB (T1052.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCloudStorageT1567Description": "Exfiltration vers stockage cloud (T1567.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCodeRepositoryT1567Description": "Exfiltration vers référentiel de code (T1567.001)", @@ -24942,7 +24938,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localEmailCollectionT1114Description": "Collection d'e-mails locaux (T1114.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localGroupsT1069Description": "Groupes locaux (T1069.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.loginItemsT1547Description": "Éléments de connexion (T1547.015)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptMacT1037Description": "Script de connexion (Mac) (T1037.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptWindowsT1037Description": "Script de connexion (Windows) (T1037.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsaSecretsT1003Description": "Secrets LSA (T1003.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsassDriverT1547Description": "Pilote LSASS (T1547.008)", @@ -25261,7 +25256,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nativeApiDescription": "API native (T1106)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkBoundaryBridgingDescription": "Franchissement des limites du réseau (T1599)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkDenialOfServiceDescription": "Déni de service réseau (T1498)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkServiceScanningDescription": "Analyse du service réseau (T1046)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkShareDiscoveryDescription": "Découverte de partages réseau (T1135)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkSniffingDescription": "Sniffing réseau (T1040)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nonApplicationLayerProtocolDescription": "Protocole de couche non applicative (T1095)", @@ -25304,8 +25298,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceStopDescription": "Arrêt de service (T1489)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedModulesDescription": "Modules partagés (T1129)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedWebrootDescription": "Répertoire racine du Web partagé (T1051)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedBinaryProxyExecutionDescription": "Exécution du proxy binaire signé (T1218)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedScriptProxyExecutionDescription": "Exécution du proxy de script signé (T1216)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDeploymentToolsDescription": "Outils de déploiement logiciel (T1072)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDiscoveryDescription": "Découverte de logiciels (T1518)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sourceDescription": "Source (T1153)", @@ -25330,7 +25322,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.transferDataToCloudAccountDescription": "Transfert de données vers le compte cloud (T1537)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedDeveloperUtilitiesProxyExecutionDescription": "Exécution de proxy d'utilitaires de développeur de confiance (T1127)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedRelationshipDescription": "Relation de confiance (T1199)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.twoFactorAuthenticationInterceptionDescription": "Interception d'authentification à deux facteurs (T1111)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unsecuredCredentialsDescription": "Informations d'identification non sécurisées (T1552)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unusedUnsupportedCloudRegionsDescription": "Régions cloud non utilisées/non prises en charge (T1535)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.useAlternateAuthenticationMaterialDescription": "Utilisation d'autres supports d'authentification (T1550)", diff --git a/x-pack/plugins/translations/translations/ja-JP.json b/x-pack/plugins/translations/translations/ja-JP.json index fe46cfda3399e..563fe391969b0 100644 --- a/x-pack/plugins/translations/translations/ja-JP.json +++ b/x-pack/plugins/translations/translations/ja-JP.json @@ -24834,7 +24834,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.activeSetupT1547Description": "アクティブな設定 (T1547.014)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addInsT1137Description": "アドイン(T1137.006)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description": "追加のクラウド資格情報(T1098.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addOffice365GlobalAdministratorRoleT1098Description": "Office 365 グローバル管理者ロールの追加(T1098.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description": "AppCert DLL(T1546.009)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appInitDlLsT1546Description": "AppInit DLLs (T1546.010)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appleScriptT1059Description": "AppleScript (T1059.002)", @@ -24850,7 +24849,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asymmetricCryptographyT1573Description": "非対称暗号化(T1573.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asynchronousProcedureCallT1055Description": "非同期プローシージャーコール(T1055.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atLinuxT1053Description": "(Linux)(T1053.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atWindowsT1053Description": "(Windows)(T1053.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.authenticationPackageT1547Description": "認証パッケージ(T1547.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bashHistoryT1552Description": "Bash 履歴(T1552.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bidirectionalCommunicationT1102Description": "双方向通信(T1102.002)", @@ -24957,12 +24955,10 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.employeeNamesT1589Description": "従業員名(T1589.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.environmentalKeyingT1480Description": "環境キーイング(T1480.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.etcPasswdAndEtcShadowT1003Description": "/etc/passwd and /etc/shadow(T1003.008)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exchangeEmailDelegatePermissionsT1098Description": "Exchange 電子メール委任権限(T1098.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.executableInstallerFilePermissionsWeaknessT1574Description": "実行ファイルインストーラーファイル権限脆弱性(T1574.005)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverAsymmetricEncryptedNonC2ProtocolT1048Description": "非対称暗号化非 C2 プロトコルでのデータ抽出(T1048.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverBluetoothT1011Description": "Bluetooth でのデータ抽出(T1011.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverSymmetricEncryptedNonC2ProtocolT1048Description": "対称暗号化非 C2 プロトコルでのデータ抽出(T1048.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUnencryptedObfuscatedNonC2ProtocolT1048Description": "非暗号化/難読化非 C2 プロトコルでのデータ抽出(T1048.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUsbT1052Description": "USB でのデータ抽出(T1052.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCloudStorageT1567Description": "クラウドストレージへのデータ抽出(T1567.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCodeRepositoryT1567Description": "コードリポジトリへのデータ抽出(T1567.001)", @@ -25022,7 +25018,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localEmailCollectionT1114Description": "ローカル電子メール収集(T1114.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localGroupsT1069Description": "ローカルグループ(T1069.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.loginItemsT1547Description": "Login Items (T1547.015)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptMacT1037Description": "ログオンスクリプト(Mac)(T1037.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptWindowsT1037Description": "ログオンスクリプト(Windows)(T1037.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsaSecretsT1003Description": "LSA シークレット(T1003.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsassDriverT1547Description": "LSASS ドライバー(T1547.008)", @@ -25341,7 +25336,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nativeApiDescription": "ネイティブ API(T1106)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkBoundaryBridgingDescription": "ネットワーク境界ブリッジ(T1599)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkDenialOfServiceDescription": "ネットワークサービス妨害(T1498)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkServiceScanningDescription": "ネットワークサービススキャン(T1046)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkShareDiscoveryDescription": "ネットワーク共有検出(T1135)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkSniffingDescription": "ネットワーク検査(T1040)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nonApplicationLayerProtocolDescription": "非アプリケーション層プロトコル(T1095)", @@ -25384,8 +25378,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceStopDescription": "サービス停止(T1489)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedModulesDescription": "共有モジュール(T1129)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedWebrootDescription": "共有 Webroot(T1051)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedBinaryProxyExecutionDescription": "署名されたバイナリプロキシ実行(T1218)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedScriptProxyExecutionDescription": "署名されたスクリプトプロキシ実行(T1216)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDeploymentToolsDescription": "ソフトウェア開発ツール(T1072)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDiscoveryDescription": "ソフトウェア検出(T1518)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sourceDescription": "ソース(T1153)", @@ -25410,7 +25402,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.transferDataToCloudAccountDescription": "クラウドアカウントへのデータ転送(T1537)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedDeveloperUtilitiesProxyExecutionDescription": "信頼できる開発者のユーティリティのプロキシ実行(T1127)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedRelationshipDescription": "信頼できる関係(T1199)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.twoFactorAuthenticationInterceptionDescription": "二要素認証傍受(T1111)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unsecuredCredentialsDescription": "保護されていない資格情報(T1552)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unusedUnsupportedCloudRegionsDescription": "未使用/サポートされていないクラウドリージョン(T1535)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.useAlternateAuthenticationMaterialDescription": "代替認証方法の使用(T1550)", diff --git a/x-pack/plugins/translations/translations/zh-CN.json b/x-pack/plugins/translations/translations/zh-CN.json index 8968f2f5b6ddb..504e4a4c4f0e2 100644 --- a/x-pack/plugins/translations/translations/zh-CN.json +++ b/x-pack/plugins/translations/translations/zh-CN.json @@ -24860,7 +24860,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.activeSetupT1547Description": "Active Setup (T1547.014)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addInsT1137Description": "Add-ins (T1137.006)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalCloudCredentialsT1098Description": "Additional Cloud Credentials (T1098.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.addOffice365GlobalAdministratorRoleT1098Description": "Add Office 365 Global Administrator Role (T1098.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appCertDlLsT1546Description": "AppCert DLLs (T1546.009)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appInitDlLsT1546Description": "AppInit DLLs (T1546.010)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.appleScriptT1059Description": "AppleScript (T1059.002)", @@ -24876,7 +24875,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asymmetricCryptographyT1573Description": "Asymmetric Cryptography (T1573.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.asynchronousProcedureCallT1055Description": "Asynchronous Procedure Call (T1055.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atLinuxT1053Description": "At (Linux) (T1053.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.atWindowsT1053Description": "At (Windows) (T1053.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.authenticationPackageT1547Description": "Authentication Package (T1547.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bashHistoryT1552Description": "Bash History (T1552.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.bidirectionalCommunicationT1102Description": "Bidirectional Communication (T1102.002)", @@ -24983,12 +24981,10 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.employeeNamesT1589Description": "Employee Names (T1589.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.environmentalKeyingT1480Description": "Environmental Keying (T1480.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.etcPasswdAndEtcShadowT1003Description": "/etc/passwd and /etc/shadow (T1003.008)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exchangeEmailDelegatePermissionsT1098Description": "Exchange Email Delegate Permissions (T1098.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.executableInstallerFilePermissionsWeaknessT1574Description": "Executable Installer File Permissions Weakness (T1574.005)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverAsymmetricEncryptedNonC2ProtocolT1048Description": "Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverBluetoothT1011Description": "Exfiltration Over Bluetooth (T1011.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverSymmetricEncryptedNonC2ProtocolT1048Description": "Exfiltration Over Symmetric Encrypted Non-C2 Protocol (T1048.001)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUnencryptedObfuscatedNonC2ProtocolT1048Description": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUsbT1052Description": "Exfiltration over USB (T1052.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCloudStorageT1567Description": "Exfiltration to Cloud Storage (T1567.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationToCodeRepositoryT1567Description": "Exfiltration to Code Repository (T1567.001)", @@ -25048,7 +25044,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localEmailCollectionT1114Description": "Local Email Collection (T1114.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.localGroupsT1069Description": "Local Groups (T1069.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.loginItemsT1547Description": "Login Items (T1547.015)", - "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptMacT1037Description": "Logon Script (Mac) (T1037.002)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.logonScriptWindowsT1037Description": "Logon Script (Windows) (T1037.001)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsaSecretsT1003Description": "LSA Secrets (T1003.004)", "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsassDriverT1547Description": "LSASS Driver (T1547.008)", @@ -25367,7 +25362,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nativeApiDescription": "Native API (T1106)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkBoundaryBridgingDescription": "Network Boundary Bridging (T1599)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkDenialOfServiceDescription": "Network Denial of Service (T1498)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkServiceScanningDescription": "Network Service Scanning (T1046)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkShareDiscoveryDescription": "Network Share Discovery (T1135)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.networkSniffingDescription": "Network Sniffing (T1040)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.nonApplicationLayerProtocolDescription": "Non-Application Layer Protocol (T1095)", @@ -25410,8 +25404,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.serviceStopDescription": "Service Stop (T1489)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedModulesDescription": "Shared Modules (T1129)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sharedWebrootDescription": "Shared Webroot (T1051)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedBinaryProxyExecutionDescription": "Signed Binary Proxy Execution (T1218)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.signedScriptProxyExecutionDescription": "Signed Script Proxy Execution (T1216)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDeploymentToolsDescription": "Software Deployment Tools (T1072)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.softwareDiscoveryDescription": "Software Discovery (T1518)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.sourceDescription": "Source (T1153)", @@ -25436,7 +25428,6 @@ "xpack.securitySolution.detectionEngine.mitreAttackTechniques.transferDataToCloudAccountDescription": "Transfer Data to Cloud Account (T1537)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedDeveloperUtilitiesProxyExecutionDescription": "Trusted Developer Utilities Proxy Execution (T1127)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.trustedRelationshipDescription": "Trusted Relationship (T1199)", - "xpack.securitySolution.detectionEngine.mitreAttackTechniques.twoFactorAuthenticationInterceptionDescription": "Two-Factor Authentication Interception (T1111)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unsecuredCredentialsDescription": "Unsecured Credentials (T1552)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.unusedUnsupportedCloudRegionsDescription": "Unused/Unsupported Cloud Regions (T1535)", "xpack.securitySolution.detectionEngine.mitreAttackTechniques.useAlternateAuthenticationMaterialDescription": "Use Alternate Authentication Material (T1550)",